C (12:05)

To realize the future America needs, we understand what's needed from us to face each threat head on. We've earned our place in the fight for our nation's future. We are Marines. We were made for this.

B (12:23)

John Anthony Smith is founder and Chief Security Officer at Phoenix. And in today's sponsored Industry Voices segment, we discuss why more technology hasn't made us more secure.

A (12:36)

I think the key disconnect is that we leaders commonly believe, or and frankly IT professionals as well, that purchasing a new tool is going to solve problems. And I think at the onset when a tool is actually deployed, maybe, maybe it does solve some significant security challenge. But having performed hundreds of assessments in my career looking at various security tools in various organizations, I can say with emphatic belief that most of these tools are largely not configured in the context of what threat actors are able and willing to do. Maybe they were in the time that they were put in, but most of the time I'm even doubtful that they were even implemented properly. The real problem is as organizations are making these investments, frankly, they're looking for silver bullets by buying something and making a problem go away way and simply it's not playing out that way, in truth.

B (13:32)

Well, can we dig into that? I know you've said that security failures usually aren't about missing technology, as you mentioned, they're about configuration and execution. What does that look like in the real world?

A (13:46)

Yeah, I'll give you, I'll give you some real world examples of this. Actually. Coalition, a cyber liability carrier based in California, a researcher there recently released a piece where he actually said that during significant breach, companies that have filed claims, cyber liability claims, 58% of them discovered a partial or significant failure of their recovery capabilities during said breach or said significant security event. What we know from our own Data is that 84% of organizations that we meet and breach first time we've ever met them, to actually orchestrate their recovery from a disastrous exfiltration or destructive event, that 84% of those organizations do not have a single survivable copy of backups. And so I would just say to you, organizations are commonly spending a lot of money on expensive backup and recovery tooling. Things like Zerto, Rubrik, Cohesity, Veeam, Dado, Druva, insert backup product here. And these products are commonly not orchestrated to actually use the features that they're designed for properly. And frankly, because most of the time these things are not being implemented from the context of breach. I'll give you another example what we commonly see, especially with the proliferation of SaaS and cloud environments and in work from home, of course since COVID it's been more extreme, but organizations have increase the convenience at which their users can work by allowing them to log into things like Office 365 and Salesforce and ServiceNow whilst off of the corporate network, off of the corporate infrastructure and machines, desktops, laptops, et cetera, and allowing them to use their personal devices to do so. In doing so, they have actually exposed effectively their entire credential basis and their authentication tokens to malicious harvest. To name a few issues that we see in assessment and breach.

B (15:56)

What about alert fatigue? It seems to me like a lot of folks, they're dealing with this flood of alerts and I can't help but think that that makes the security teams less effective.

A (16:08)

Yeah, I think most organizations that have attempted to build their own security operations centers, frankly, will never be tooled properly. Not only when I say tooled, I don't mean like tools like, you know, Sims and EDRs. I mean because I frankly believe most orgs have several tools that are capable of doing right things. I mean tooled as in people and process and policy. To be honest with you, I think that organizations that attempt to build SOCs on their own are, are setting themselves up for failure. I do see in assessments that to your point Dave, there is a lot of alert fatigue, right? Alerts are ignored or they're simply not staffed enough to actually review them all. And frankly, even with AI technologies, while it is amplifying the effectiveness of all of this, there's still much to do. Right? I just don't think that organizations that have attempted to build this on their own are ever going to be successful. I frankly think that it is better to outsource log review, log response, frankly, because I just don't think orgs will ever be tooled for it. There is a lot of alert fatigue. I will bluntly tell you in breach, many orgs have had had the alerts that should have demonstrated to them that there was an attacker in their environment, but they were being ignored or they weren't being responded to quickly. What we know from breach is that dwell time is commonly short. It's sometime between 15 minutes and 72 hours, most commonly. And so if it takes you every minute thereafter 15 minutes, I would say you have exponentially decreasing likelihood of actually stopping the threat actor from causing some form of a significant exfil or destructive act so the alerts are a big deal and I just don't think orgs are tooled for them.

B (17:54)

Well, what are your recommendations for organizations to I guess self assess? You know what I'm getting at here is people add tools and it increases the complexity. And it seems to me like there's a threshold where if you keep adding tools and adding tools, that complexity itself could become a vulnerability.

A (18:17)

That's a great point. I would say to you. A dear friend of mine once said for every complex problem there is a simple solution and it is always wrong. What I mean by saying that in this context is I think the only way to actually solve a complex problem is with a complex solution. However, I would say it's not commonly a factor of spin. Right. If you look at the market, right, there's the defense and prevention market is a 200 billion plus market. Right. The resiliency market is a $20 billion market. I would just say to you that more appropriate place to focus would be on the resiliency side of the equation. Right. And double down in that area. And I do believe that complexity is required. Right. To actually orchestrate a survivable recovery that's also going to provide a timely recovery is going to require complexity because in essence have to create an environment that frustrates the attacker to the point that they simply give up on trying to find all of your means to recover. And then secondarily to that, on the defensive side, and only secondarily to that, I think with existing tools, I think organizations have to be hyper focused on frustrating the attacker. And I think if you look across what most orgs are doing, they are trying to increase convenience for their users while it's also increasing compliance. And both of those things do not commonly frustrate the attacker. And so I do think actually more complexity is required. Certainly I think there is a straw in there that will break the camel's back. Right. Obviously there's a point at which you don't need any more complexity and you have diminishing returns.

B (20:11)

Yeah. What about the decision making process, the governance? I'm looking at the leaders in an organization deciding whether or not to add these tools, deciding where to spend their attention, their resources. What sort of executive decisions come into play here?

A (20:31)

I would say to an executive, you're probably spending enough money today on prevention. It's highly likely you're spending enough money today on prevention tools. I would say to executives that statistically it is unlikely that one, you're going to have a recovery, two, that you're going to have a timely recovery and your IT org needs to be, should be hyper focused on resiliency. In essence ensuring that the org will have a recovery and secondarily that it will be timely. I would say that if you're going to spend focus, time and money elsewhere or own something, it needs to be resilience. Because frankly, if you look at the, at the statistics, simply no org really is.

B (21:23)

You know, I sometimes think about organizations, security folks, you know, fantasizing that they have like one of those big scissor switches like from an old Frankenstein movie on the wall, and when things go down, they can just go over and reach to that switch and you know, throw it down and everything will come back up and be just the way it moments before. But that, as you say, that's rarely the reality.

A (21:48)

Nearly never the reality. Matter of fact, most orgs we see during assessments because obviously we believe that orgs, when you talk about executives, I believe the best and fastest way to know if you have a resilient organization is actually to measure your resiliency against what threat actors are actually doing. Not what compliance standards say, not what you're reading in the news, but really hiring a professional that understands how threat actors are compromising backup and recovery infrastructures, virtual infrastructures, cloud environments, and actually orchestrating these destructive acts. I think that that is a much better way to spend time and money. But to your point, many orgs are, they have stated objectives, right? RTOs, RPOs, that frankly are not achievable in the context of human caused destruction, right? If you are an org that believes that your critical enterprise resource planning app, like SAP Hosted Internal is going to be back online in four hours with less than 30 minutes of data loss after a human caused destructive act, you're probably living in a farce. Actually, I can almost guarantee you're living in a farce.

B (23:02)

So what's the difference here in your mind between organizations who are set up for success and organizations who are not?

A (23:12)

I love this question. So firstly, I would say an organization that is set up for success is one that has invested significantly in resilience instead of believing falsely that they can prevent all forms of breaches and a breach is unlikely and therefore they don't have to prepare for it. They instead say it's highly unlikely that we will be able to prevent breach and that breach will eventually occur. And when it does, how ready are we going to be? And instead we organizations that have focused there, focused their first and really doubled down on their investments around resiliency leveraging Breach Reality orchestrated multiple copies of backups in multiple identity planes using multiple immutability algorithms on segmented hardware and segmented infrastructure, implementing things like digital air gapping. These types of organizations, I believe, are really set up for success because they have doubled down on recovery first, that's

B (24:14)

John Anthony Smith, founder and chief security officer at Phoenix 24. And finally, Exploit Code has appeared online for an unpatched Windows privilege escalation flaw known as Blue Hammer after a frustrated researcher decided to skip further polite conversation with Microsoft and go straight to GitHub. The vulnerability, now a zero day by Microsoft's definition, can let a local attacker access the security account manager database and potentially promote themselves all the way to system privileges, effectively taking over the machine. The researcher, posting as Chaotic Eclipse, declined to explain the exploit in detail, suggesting others could figure it out, while also thanking Microsoft's response process for the inspiration. Analysts confirmed the technique combines timing and path confusion flaws, Though the proof of concept code is reportedly buggy and unreliable in some environments, Microsoft says it's investigating. Meanwhile, defenders are reminded that local access required is often less reassuring than it sounds, especially once attackers arrive locally by other means. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's lead producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our contributing host is Maria Vermazes. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.