Secure Insights Highlighting Data Breaches And The Best Approach To Handle It

Interesting podcast with Alysaa Miller highlighting on the most happening thing in the IT space -Data breach. She explains on why it’s the most happening thing and how to apply the best approach to handle a cyberattack

Hello everyone, I am Sowmiya Rajamanickam, and you are listening to Secure Insights – A Series of conversations with industry experts, influencers, and leaders in the IT Security space. In this podcast I have with me Alyssa Miller – Head of Information Security Solutions in CDW. She is a recognized hacker and security evangelist who has more than 20 years of experience in cybersecurity. She believes that in today’s inter-connected world, protecting privacy and building trust with secure systems are critical to protecting our way of life

Hi Alyssa.  welcome to this podcast, it’s very great to have you here …

1. Why do you think data breaches are happening so often?

So, you know, as I look at things, um, I can look at the results of different penetration tests. I’ve been a part of that. I’ve completed with multiple organizations and indeed , I’ve done some training and there’s, there’s a couple of things that are really kind of crucial this, right? So, first of all, what we see is a trend that has been pretty solid for a number of years now. And that is, the majority of the vulnerabilities that we identify. And you see this play out in the media when we hear about data breaches, they’re all around, configuration issues. So, they all relate to a situation where, with the tools that were already in place, whether they were security tools, whether they were just configuration options in different software, everything was there that was needed in order to secure those environments. If we look at some of the high-profile breaches as of late, you know, we can look at things like, Amazon S three buckets have been exploited in multiple environments leading into some of these breaches.

And in every case, it’s because, you know, someone set that bucket to public or you know, things like that. Just configuration issues that should just never exist in a production enterprise environment. Now, so that’s still kind of a symptom, right? We want to talk root causes. What we can start to look at are some of the surveys that are being done out there. You know, CDW did a survey at the beginning of the year. They talked to just security leaders and business leaders in general about what happened to their IT budgets over the last two years. That was one of the questions and the results set you see from that survey or that for the vast majority of them, their budgets stay the same or even shrunk. Only 25% actually saw their budgets increase. So that’s like one in four. Conversely, if we talk to Gartner, for instance, released their study recently, looking at the IT security industry, if you will.

And right now it’s about $177 billion industry that they expect to grow to over 225 US billion dollars by 2025. That’s a lot of money going into that. And you look at the number of products and different players and all the messages competing for people’s Mind share insecurity. You know, I think we as security experts have kind of done a disservice. We’ve put a lot of ideas out there. We’ve put a lot of, thou must do this or that type of language out there. So much to the point that I think for most organizations it’s incredibly hard to consume. And as a result, they’re kind of running frantically and no one’s got a real clear picture on how to secure their environments. And the end result is we see these misconfigurations and other things that make it all the way into a production space.

2. So, I mean there are like so many solutions and service providers and with those things we can avoid data breaches, but still it’s happening so often. Do you think it is because the organization are ignorant or like you said, it is a budgetary issue?

I think it’s a lot of things, but I definitely don’t think its ignorance. I think I put a lot of blame on, again, on the security industry. I think we’ve failed to educate to some degree. There is some willful negligence on the part of some organizations. I do believe there are some who are, you know, far more focused on the need to get to market fast and trying to drive, your shareholder value by showing their leadership in terms of innovation and so forth. And so, they do that a lot of times at the expense of security. Security kind of takes a back seat. You know, I think from a security perspective though, we again can take some responsibility for that for not really doing a good job of showing how security can help enable that innovation.

Right. We go in, we talk to business leaders and we try to scare them. We tell them all these horrible stories. We tell them all about these, you know, advanced persistent threats and threat actors and all these, you think of every buzzword you’ve heard in the security industry and it’s all centered around fear. Well we don’t do is partner with these business leaders and help them understand how addressing security early in the life cycle of a product early in the life cycle of an application early in the life cycle of any specific project can help enable better growth, can help enable a new line of revenue. You’ll can create new space for that business to operate that maybe they hadn’t seen before. And it’s when we start to do that, it’s when executives and members of the board and so forth can see the value from a business perspective that security brings.

That’s when we get credibility. They start to make security a priority in what they’re doing. We’re starting to see that shift begin at certain organizations who are maybe a little more mature or have come about with that form of a security focus in their culture from the start. But we’re still, there’s a lot of fear, uncertainty and doubt being spread out there that’s just not productive for what we do.

3. What’re your thoughts on SOC and SIEM working together? Is it a viable option?

I think in the long run it’s going to have to be right. I honestly, you know, that level of information sharing that’s required there. It’s not happening today, obviously. That’s why you asked the question. It’s been talked about. We’ve seen these ideas of like SOAR, that kind of touch on that idea when they’re, you know, they’re focused on automating and, bringing all that together.

And that integration is a component of it. But, you know, I think right now the world isn’t ready for it. We don’t have that. The messaging is so far off from where we need to be. The technologies and capabilities for that data sharing. They’ve been out there but they’ve not been really strongly developed. You know, it’s, and it’s too bad because really at the end of the day, you know, I’m a firm believer, security shouldn’t be an industry in the first place. Security is everybody’s problem. I don’t care if you’re a business analyst, I don’t care if you’re on the housekeeping team and you’re sweeping up after everybody. At the end of the night, everybody has to be aware of the implications of what they do to the overall security of their organization, of their environment. They need to understand that threat model. You know, what is it as I’m, you know, sweeping up papers at the end of the day are your garbage is on the floor.

I’m taking out the trash. What responsibility do I have in terms of securing in this environment and making sure that, you know, if I’m finding sense of data lying around or whatever, how can I be a part of the solution rather than just simply ” It’s not my problem. I’m not supposed to look at these”, you know, I don’t worry anything about that. Yeah, so I think to your question, yes that integration is important. That type of communication cooperative, a relationship needs to exist. It needs to grow even bigger than that, but we are so far from that right now. We are not ready for it yet. We can get there. There’s a lot of technology in place already that could help. It’s more on the culture side that I think the work needs to be done at this point.

4. So, there is a rapid adoption of AI and machine learning. Do you think data breaches and Ransomware can be mitigated fully or to some extent controlled using AI and machine learning tools?

So, there is a rapid adoption of AI and machine learning. Do you think data breaches and Ransomware can be mitigated fully or to some extent controlled using AI and machine learning tools? Every time you make an advancement in machine learning for defensive purposes, you’re also creating that same skill set for the attackers. And this is, you know, so I look at things like, so I’ve done a lot of research for instance, into deep fakes, the videos where people are very convincingly creating fake videos of other people saying things and doing things on video that aren’t really that person. And that’s all driven by these neural networks we call GANs or generative adversarial networks. We literally have two neural networks that are working against each other. One’s trying to fool the other and the other’s learning, and they both learn from each other. And see, that’s what we see in AI. So, because that’s how it’s designed to learn and to function and to grow. And so, the thing is just like we’ve seen in the human realm where we’ve seen, defenders get better than the attackers react, and they learn, and they get better and it’s kind of keeps going back and forth.

AI is just going to do the same thing now in a machine learning realm, right? You’re going to see the attackers leveraging the same technology that we’re using as defenders. They’re going to leverage that and they’re going to use it against us. The datasets and the networks that we’re using to create these defensive tools are also going to drive the creation of new attack tools. And so while I think AI is going to be helpful, it’s going to give us a lot of exciting capabilities that are going to, you know, potentially free up a lot of the mundane day to day work that humans are doing right now. I think expecting AI to be an end all be all solution to breaches it is, is horribly misinformed. And I think it would be foolish to expect that we’re going to generate something like that that’s going to just solve all the world’s problems. We’ve, seen vendors say that plenty of times. It doesn’t happen because this is a process. This is a constant battle that I don’t believe really has an understate.

5. As of now, what do you think is the best approach to handle a data breach?

Do you mean when, after a data breach has occurred?

Yes

Obviously, my hope would be that everybody would, you’ll have a, first of all, just the form of incident response plan in place to deal with that. When dealing with an incident, and I speak from experience, I can go back to 2010 when I dealt with my first data breach as part of a large FinTech organization. I’m trying to deal with a data breach on the fly. When you don’t have a solid incident response plan is nightmarish.

I mean, there’s so much you have to worry about in terms of communications and notifications and a remediation strategies. When do you start to remediate? I’m understanding that, you’ve been breached, shutting down your systems and then, trying to fix them all right away isn’t always the best approach. In some cases that can actually be detrimental to what you’re trying to do. So, there’s a lot of strategies involved. And so, you know, working just to develop a comprehensive strategy for that before you get breached is the first step to reacting to a breach, when the breaches occur. You know, certainly, we’ve got lots of vendors in the space who deal with incident response and you know, engaging with someone who this is their expertise, this is what they do every day, strongly encouraged. You know, having that skill set on retainer.

So, you have someone you can call at a moment’s notice that’s gotta be part of your plan. But then it’s really a matter of your containment. How do we contain the breach? Being able to collect the data to really understand the depths of the breach. So often we see organizations who react too quickly start to try to clean their systems, have an infection, and then three months down the road they’re infected again because they didn’t find all the fingerprints of those attackers who are in their network and what they had done to establish persistence. And so that’s where it’s just crucial. I have people with that skillset on your side working on your behalf. If you don’t have those people internally on staff, you need to be working with that instant response vendor who can provide that level of expertise because it’s a whole new world when we look at digital forensics and incident response, that is a skill set that most organizations don’t have at the ready, just within their, their own employee base.

6. What’s your thoughts on Zero trust? Is it Achievable?

 Zero trust is absolutely achievable. You know, it’s zero trust to me honestly is another name for what we’ve been saying we should be doing for decades. You know, you look at what Google created as a part of zero trust and you know, you can definitely from that alone see that this is something that’s attainable. It’s something we can do. But it’s not really that different from what we’ve always been saying. I mean, I can go back 15 years to when I was working in financial technologies and we were telling people then who are just starting to create web services and things, Hey, look, you have to be authenticating more than the users. You need to be authenticating who’s connecting to these web services, you need to authenticate it, all these different levels. You need to have identities for all this and being able to authenticate and authorize each one of them at every level.

We were talking about that 15 years ago that that’s not new. When we look at zero trust . Zero trust is saying essentially the same things you all authenticate everything. Yup. Principles at least privilege. Okay. We’ve been talking about that for better than two decades. Yeah, it’s a new way of looking at it. But it’s bringing together a lot of the same components we’ve been talking about for a very long time. I think what makes it most different other than being a new way to look at it, is that we have new tooling in place to help with a lot of this, right. Things that weren’t available to us 15 – 20 years ago in terms of identity and access management and, you know, some of the privileged access management components, all the things that need to be a part of a zero trust model. We’ve got more a readymade capabilities to help achieve it today than maybe we did 15 years ago when we were shouting it from the rooftops. But we really didn’t have solutions to provide to help. I actually make it happen.

 That’s great actually. So that’s it, Alyssa. Thank you so much for your time and I’m very glad that you did the podcast with us.

Yeah. I really appreciate it. Again, thank you so much for having me on

Speaker

                                        Speaker

Alyssa Miller

Alyssa Miller

Head of Information Security Solutions at CDW

Alyssa Miller is a recognized hacker and security evangelist who has more than 20 years of experience in cybersecurity

Host

                                        Host

Sowmiya Rajamanikam

Sowmiya Rajamanikam

Software Developer

Sowmiya is a Software Developer in Sennovate. She is passionate about writing technical articles and building applications from scratch. With a great zeal to learn, she conducts podcast interviews with industry leaders in the IT space.