CyberWire Daily - Cyber confidence: Knowing what you have and where it is. [CyberWire-X]
Episode Date: October 16, 2022Between multi-cloud deployments, more employees working remotely, and increasing use of SaaS applications, the number of entry points for attackers to infiltrate your systems has exploded. But gaining... visibility into all these possible attack vectors is time-consuming and often incomplete or just a snapshot in time. If the first rule of cyber is to “know what you have,” how can cyber professionals get a comprehensive, current picture of their assets? How can they feel confident that they understand which assets may be more vulnerable and prioritize defenses accordingly? In the first half of this episode of Cyberwire-X, the CyberWire's CSO, Chief Analyst, and Senior Fellow, Rick Howard, is joined by Hash Table member Jaclyn Miller, the Head of InfoSec & IT at DispatchHealth. In the second half of the episode, Cody Pierce, Chief Product Officer at episode sponsor LookingGlass Cyber Solutions, talks with Dave Bittner. Listen to the discussions about answering the foundational cyber questions (What do I have? Is it protected?), why context is critical, and how an adversarial perspective helps you be a better defender. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Hey, everyone.
Welcome to Cyber Wire X, a series of specials where we highlight important security topics
affecting security professionals worldwide.
I'm Rick Howard, the Chief Security Officer, Chief Analyst, and Senior Fellow at the Cyber Wire.
And today's episode is called Cyber Confidence, Knowing What You Have and Where It Is.
A program note, each Cyber Wire X special features two segments.
In the first part, we'll hear from an industry expert on the topic at hand. And in the second part, we'll hear from our show's sponsor
for their point of view. And since I brought it up, here's a word from today's sponsor,
Looking Glass Cyber, a global leader in cybersecurity.
Thank you. to offer you this complimentary Gartner Research Innovation Insight for Attack Surface Management.
Visit lookingglass.com slash resources to learn more.
And we thank Looking Glass Cyber for sponsoring our show.
I'm joined by Jacqueline Miller, the head of InfoSec and IT and Chief Security Officer at Dispatch Health,
and also a long-running visitor here at the CyberWire Hash Table.
Jacqueline, thanks for coming on the show.
Thanks, Rick. Happy to be here.
So today we're talking about visibility or attack surface management.
So let's start with some basics.
When you think about those issues at Dispatch Health, what does it mean to you? What are you trying to do?
Yeah, so I'm thinking about the different domains of our attack surface and what are
different opportunities and vectors to be able to gain visibility of those different surface areas.
With a company like Dispatch Health, where we are literally
changing how healthcare is delivered. In healthcare, the principal idea was you're
largely dealing with the campus or offices and all the patients come to that campus or office to
receive care. We are bringing healthcare into the home. A lot of the concerns that have come up with
COVID and remote work are doubly so for us because we are sending our providers into patients' homes, having to deal
with mobile connectivity and networks potentially that we don't have control over. And so we have
to become very creative about leveraging flexibility, but also leveraging many different
tools in order to gain visibility, particularly
with endpoints. All of those endpoints are then connecting back, of course, to the different
applications that are running in the public cloud environments or SaaS applications that are
protecting PHI, patient PHI. So we are thinking about a very complex attack surface and managing all of that visibility into one
pane of glass is, of course, very challenging because all of those different surfaces are very
different from a technology perspective. So a couple of things before we dive deeper into this.
First, you mentioned an acronym there, PHI. What does that stand for? That is private health
information. So under the HIPAA laws, HIPAA regulations, that is the 18 elements that make up a patient's chart or pieces of information that is related to patient health care.
Did this delivery model that you guys are trying to do at Dispatch Health, did that start because of COVID or it helped it because everybody was locked in their rooms or you guys
were already down that path or what was the impetus there? Yeah, we were already down that
path well before COVID. I think COVID really just accelerated a trend that was already in progress
with healthcare in the home. We're in the third year of the pandemic and the idea of delivering
care in the home in many different facets than prior to the
pandemic has become widely accepted. And we're seeing very large companies, everyone from Amazon
to CVS, United, Humana, et cetera, being very, very interested in this model of care.
So you guys are a startup and CyberWire is a startup. And you would think that because we
are so small that we could have a handle on where all of our data is.
But in truth, it's scattered to and fro in what I've heard you describe it as data islands.
So you were talking about that a little bit before I sidetracked us on COVID.
But can you describe the complexity of that situation when your data is scattered all over the place?
when your data is scattered all over the place?
On one hand, being a startup means that we can be flexible and adopt new technologies that more established organizations
have trouble really accessing and leveraging.
But on the downside, that means that we're often moving so fast
that piecing together the technology that we use
or interconnecting that technology can be often missed.
And I think that's how we develop this idea of data islands.
We have a specific business problem or use case
that we're looking to solve,
and we deploy technology to specifically solve that problem.
But we don't spend the time to interconnect that technology
or sometimes a suite of technology or tools
into our existing operational tools and landscape. And I think
in startup, when you're making a lot of trade-off decisions, having security monitoring, security
visibility, or even just operational visibility into those data islands is often left off the
project plan and it ends up being an after-action review or a finding in a risk assessment that we
perform where we have to go
back and figure out how to make these things work. So it's not part of the technology selection.
And I think that's probably the number one reason why we end up with data islands is because we
don't think about that integration from a visibility standpoint. We only think about
interoperability from the business standpoint. Well, I don't think it's just a security thing
either. I mean, you know, I'm a relatively old timer compared to you. And, I don't think it's just a security thing either. I mean, you know,
I'm a relatively old timer compared to you. And, you know, when I started doing this back in the
90s, we just had one island, you know, it was just the data center, right? But as the cloud started
to take over in the, you know, mid 2000s, let's say, all of a sudden, our data was exploding or
being delivered or distributed all over the place.
So, you know, we got cloud providers like Google and Microsoft and Amazon.
And then just fast forward to, I don't know, five years past that maybe, it became acceptable to use your personal work phone to do work.
All right.
I mean, and some organizations got there sooner than others, but I think pretty much that's kind of the standard practice these days.
So it's big cloud providers, it's mobile platforms.
And plus, I'm sure you guys are the same as us as startup.
You know, we're using 100 SaaS applications to run the business.
So data is distributed through all that.
So that's what I mean by data islands.
And like you said, there's no cohesive connectors, you know, that gives you visibility of all that. So that's what I mean by data islands. And like you said, there's no cohesive connectors that gives you visibility of all that. I think that's where the complexity
is. Is that what your experience is too? Yeah, definitely it is. I think the first place where
things start to get stitched together is always around access, right? Centralizing and making
access administration easier when you've got so many
SaaS applications is an intuitive next step and a good place to start from a visibility standpoint.
But then when we start putting on our security hats and we think about what type of data,
what's the classification? Have we broken down within the application itself? Do we have our
back deployed, not just of getting SSO initially deployed. That's where that level
of visibility starts to get really, really cloudy. And it's very hard. You know, we're back to
spreadsheets to keep track of all of that information. Here we are. Here we are 2022 and
roll out the RBAC spreadsheet, right? Yep. So you mentioned RBAC. Tell me what the acronym stands for for the audience.
Yep.
Role-based access control.
So that's where we are looking at fine-grained access controls to give people access only to the data that they need within a specific application.
And which is the central piece to any kind of zero-trust strategy that you're trying to roll out.
And also important to any kind of identity and access management program. So, it's a model for us. But I would say from medium to
large organizations, they can start on this path, this identifying the attack surface with tools
they already have in place. You know, most of the organizations of size have a few firewalls deployed in modern day
firewalls or application firewalls or layer seven firewalls. And any network traffic that goes
through one of those devices is classified as an application, like going to Facebook as an
application, using Gmail, watching Netflix, you know, even pinging a host in the firewall's eyes,
that's an application. So if you configure the firewall correctly, you can get at least a preliminary view of the network flow in your environments, regardless of the data islands. But for you and me, you know, that doesn't work for small organizations. Many startups and small organizations don't even have firewalls deployed. So what do those organizations do?
firewalls deployed. So what do those organizations do? Yeah, there's a couple of ways to do it that I found at least to approach that level of maturity. One is thinking about conditional access
and starting to configure that with your IDP, your identity provider. And so, for example,
if you're using Azure AD and you start to put in kind of those application-aware rules where even for SaaS
applications, when you're SSO integrated, if you're able to confirm that the user is coming from a
secured device before they access the application, then you can start to become more aware of times
when you get alerts where somebody is accessing something from an unideal location,
you'd be able to differentiate that traffic. So it's more getting aware of the things that you
care about. It doesn't necessarily help with what you talked about with the firewall-based access.
Is my provider accessing or my employee accessing Facebook when they should be doing work? It's not
going to give that level of visibility. For that, really having some type of tool in place that does URL filtering to give
the more understanding about what's going on in the browser is almost required. So things like
Caspi, Zscaler are tools that I think for smaller organizations, putting that into your roadmap is really, really important
because it is kind of the replacement
for the firewall-based approach.
Yeah, but like you said, you know, you and I are small.
I have no money to do any of that.
So anything we're doing in this area,
we're home growing it, right?
We're doing it on our own.
So is that your team writing their own software or Are you dishing that out to the CIO
team? You are all those things, but how do you manage that where you are?
We're largely piecing together the tools that we have today to create better visibility. And then
because we are within the healthcare industry, we are heavily regulated. So those are tools that we're putting
on our roadmap and we're trying to figure out what are the trade-offs that we have to make,
you know, the difference between hiring somebody next year versus bringing in a new tool like that
to help us as we scale. So eventually we're going to hit the limit of what we can do with writing
our own solutions, internal solutions, and we'll need to go to something that's more enterprise grade.
Is that one of the cases where compliance laws help a startup because it gives you more ammunition when you go to the boss and say, hey, I need to build this thing. I need tools to do this. Is that
help at this stage or is it still more of a, I don't know, more of a headache for everybody?
I think it's probably a bit of both. to be honest, at this stage. We're
in that gray zone where we have a large startup, but we aren't quite there yet. So it definitely
does help because there is a focus on protecting patient data across the organization. That is a
key goal and metric of ours. But we also have to be good custodians of the business and understand that,
you know, if we're making a decision between being able to provide patient care and taking on this
type of initiative, then the decision is always going to be to take care of the patient first.
So your experience has been in charge of security at a large organization. Now you're
at a startup. So you've seen both sides of the coin. Any advice you can
give to newbies out here that are trying to figure this attack surface thing out? Any recommendations?
Meet your organization where they are. You kind of have to take a really strong look in the mirror
and recognize where your business is at. If you come at the board or your senior management hard
on these topics, it's complex. It's difficult for
them to understand because it's not the world that they live in. So find ways to translate
these types of projects into corporate objectives as well. The second would be to use what you have
to the best of your capability and be creative and scrappy with what you have. I like to use
the three points of data rule. It's like, if we can get three points of information or visibility on something, then we have pretty high fidelity. And
you can actually do that with a lot of tools, whether that's endpoint management tools, our IAM
tools, and many other things that are probably already in your suite. And it's just a matter of
piecing them together, which does take time and focus in your security roadmap.
If you can get three points of data on any user or asset,
then you have very high likelihood that it's accurate
and you really know where the asset exists
or where the user exists and what its status is.
I was just listening to a podcast
and the guest was John Kindervog
and he was
trying to explain what zero trust was. You know, he's the father of zero trust back in the day. And
he was saying that most people get the idea of zero trust wrong because they're assuming you
have no trust. He says, no, no, no. We're trying to get confidence in our trust that we trust that
device, that person is who they say they are or is what they
say they are. And using your three-point data rule, that gives you high confidence that you
get there. I think that matches nicely. It does. And it really helps with the zero trust roadmap,
which is enough of a buzzword at this point that I think executives outside of IT and business
leaders outside of InfoSec understand. They at least, you know, they want to say that we're on a zero trust roadmap or we've got it.
So having that three points of fidelity
really helps implement zero trust a lot faster
and is a huge underpinning to being able to achieve it.
Good stuff, Jacqueline.
But we're going to have to leave it there.
That's Jacqueline Miller, the head of InfoSec and IT
and chief security officer at Dispatch Health.
Jacqueline, thanks for coming on the show.
Thanks so much. Appreciate it.
Next up is my colleague Dave Bittner's conversation with Cody Pierce, the chief product officer at Looking Glass Cyber.
at Looking Glass Cyber.
Cody, today we're talking about this whole notion of visibility into folks' multi-cloud environments, those sorts of things.
Can we start off with just some high-level stuff here?
Can you give us a little bit of the lay of the land of kind of where we find ourselves
and what led us to this point?
I think there's a couple drivers to where we are at currently and what I think people in cyber and generally in business are struggling with from a security perspective.
One is that there's, you know, massive digital transformation going on. So most businesses or most of the large organizations
are moving to the cloud, transforming their business
so they can reach their customers anywhere their customers are
and providing that access to work from home
or remotely, internationally.
And so they're expanding their IT footprint.
A lot of that is single cloud adoption
as they move from a traditional on-prem
or maybe hosted or co-located IT stack
to an Amazon or a cloud provider.
But 60%, last I checked,
actually are adopting multi-cloud.
So not only are you moving to something But 60%, last I checked, actually are adopting multi-cloud.
So not only are you moving to something that you may have had a lot of control over,
and you might have had a closet of IT assets and a firewall,
and it wasn't connected to the internet directly,
to a cloud provider where they have hundreds of services from databases to compute and more, which by default, a lot of times it's connected to the internet.
And so that expansion is what we consider the attack surface, that expansion of IT assets
connected to the internet from an external attack surface. And then that complexity of your IT moving to something that is a little bit more out of your control,
a lot more complicated in many cases, and a lot more room for error.
And I think there's a general worry, which is a very validated worry, that this huge transformation, they may not have the visibility or the security controls or analysis of that complexity as they adopt these new platforms. When you add in multi-cloud,
while moving to the cloud is generally
the cloud providers are similar in the services they offer,
but a lot of the built-in security
is different per provider.
So Amazon's, what they would recommend their security stack
looking like is different than what Microsoft would recommend
their security stack.
So you have an extra problem of you're having to learn more, you may be managing multiple security
stacks. And it's, in a lot of cases, kind of a new environment for your IT and DevOps people.
And so that's just created the visibility problem, first and foremost. And I'm a big believer in
cyber hygiene. I'm a big believer that the fundamentals matter
often more than some of the more extreme or technical or cutting edge things in cybersecurity.
And for me, one of the pillars of that cyber hygiene is good visibility.
And it's a paradigm shift. It really is. And I think a lot of CISOs and now more and more of the board or the C-suite
are asking, do we have visibility into our IT assets as we move to cloud and as we digitally
transform the business? And I'll say one more thing about that. This digital transformation,
which I just kind of define as moving to more of a decentralized or cloud-based or data-rich environment, something like that, is good for business.
In my opinion, most businesses need to take that leap.
It has so many benefits from data to cost to speed that it's good. And so cybersecurity is always at the point
where we have to understand and support
what is a positive advancement in technology.
And that creates the dynamic of trying to secure
what is moving fast and doing that really well.
And I think that is really kind of
one of the fundamental things.
I could add that working remote
or working from home
or being international is secondary.
But a lot of those problems are, again,
tied to the fact that you're no longer
just on a VPN connected to a colo.
I think I may be getting these stats slightly incorrect,
but 80% of corporate traffic is now going over the internet.
You're not in a studio plugged into a LAN.
And I think those are all kind of working together.
And people really just kind
of need to retool and kind of get their hygiene down first. Is your sense that there's a general
awareness that this is an issue of these specific risks? I believe there is an understanding of the
risk. Over the last decade, there's been more visibility
into the cyber investment
and outcomes
in most large organizations.
So I think the conversations happen
and that's a good thing.
What I would be curious about
is the understanding
at the more technical level
or more operational level.
And understanding if Amazon is going to cover
all of your security needs,
and that's factored in your transition to the cloud,
or maybe choosing that provider.
And if you believe that,
you may be missing a lot of the work
that needs to go into actually creating that.
So I think there's definitely an understanding. I'm not sure if, because it's such a different
environment, I'm not sure if the IT people are as experienced managing that versus a
colo or on-prem solution. If they understand what security the cloud platforms are actually providing
and how you need to invest to augment that.
And that includes rewriting your security policies and changing your risk assessment
and risk appetite for this new, more dynamic world.
Hmm.
assessment and risk appetite for this new, more dynamic world.
To what degree are we dealing with folks being kind of comfortable and maybe even blinded to things that are happening within their organization? I guess what I'm saying is,
is this a situation where having a fresh set of eyes come in to take a look at things
could really be to an organization's benefit.
Oh, absolutely. I would always have different perspectives. I mean, it's good to have more
help and more perspectives and more vantage points when you're collecting data or assessing
the security of a business. And frankly, when you do adopt more of these cloud services,
Amazon has over 150 different individual services.
The scale is something where you likely do need help,
at least for some time.
Now, if you have a massive security budget
and you're bringing people in that are experts
in some of these things,
then that's great. You still probably want another perspective. And the good thing is that if you can get those multiple perspectives with your own people that understand the environment and the
problem, then that feedback from the second party is actually going to be more meaningful. They'll
know what to do with it. So you have different vantage points and different places that you need to collect
visibility data or exposure data or threat data. And the more of that you have,
if you do it in the right way, then I think you build up more confidence in what you
as an organization need to invest in and what you need to prioritize.
What's been your experience in terms of getting buy-in from the folks who have to sign off on this sort of initial effort, but then the ongoing part of it as well?
The initial part, so I think there's definitely buy-in for bringing in or augmenting security teams that are making a large change and adopting the cloud. I think people are realistic that this is a potential risk, like it is a business risk moving your IT to a different platform and a cost risk.
So there's an appetite for that.
Now, the complexity of the cloud means that I believe while potentially budgets have increased
to support the cloud adoption, it may not be well understood
that you have to be even more aware
of the area of security
you're going to invest that expanded budget in
because you can't cover everything right off the bat.
And with what Looking Glass does
is we try to provide that buyer
multiple different ways
that they can partner with us
and work with us
and get value out of one of our solutions.
And then as they grow and they need more,
they need something different,
we can work with them there. So it's a nuanced, I think it's a nuanced question. I don't think
we can generalize too much, but I generally see that as how it breaks down, that it's a good thing
that budgets are increasing. We just have to make sure that we are using that precious dollars to
invest in something
that's going to have the most bang for the buck.
What are folks experiencing on the other side of this?
Once they get a handle on this
and it becomes a regular part of their operations,
what sort of things are you hearing?
I like to point to DevOps and Agile.
Once you're a little bit more established,
you start generally increasing automation,
increasing the use of platform as code
or infrastructure as code.
And so you have these moving parts
that your developers, engineers, or IT are adopting
that help them be more consistent
and help them build faster
and all those other good things.
And I think what we see on that side
is people want to,
they may have an idea of a baseline,
a secure baseline,
and that's what they want to stick to.
They want to make sure that they don't deviate.
So we see a lot of people,
for instance, in DevOps,
where an engineer or a team is building something
and they're deploying containers or assets in the cloud.
And they may not realize that their development environments
that they're pushing to the cloud are not as secure
or not following the same principles
that their production systems may follow.
And you get an asymmetry where attackers are very capable of finding out
that you have developer systems that have lax security,
and they'll go after that versus your production systems.
And that deviation from a baseline are the expected security policies that you have.
And that includes controls, authorization, identity management.
That deviation becomes more important.
So we want to be able to tell you that we just discovered a new database in your Amazon cloud that does not have the firewall policies.
that does not have the firewall policies.
We'd like to thank Cody Pierce,
the Chief Product Officer at Looking Glass Cyber,
and Jacqueline Miller,
the Chief Security Officer and Head of InfoSec and IT at Dispatch Health,
for helping us get some clarity
about gaining network visibility.
And we'd like to thank Looking Glass Cyber
for sponsoring the show.
CyberWireX is a production of the CyberWire
and is proudly produced in Maryland
at the startup studios of DataTribe,
where they are co-building the next generation
of cybersecurity startups and technologies.
Our senior producer is Jennifer Iben.
Our executive editor is Peter Kilby.
And on behalf of my colleague, Dave Bittner,
this is Rick Howard signing off.
Thanks for listening.