A

You're listening to the Cyberwire network, powered by N2K.

B

If you like what you're hearing so far and want to learn more, add our recent episode with Cynthia Kaiser from Halcyon into your queue. In this episode we discussed how to build defense in depth strategies to address the threat of ransomware and what designating ransomware groups targeting hospitals as terrorist organizations would mean for thwarting cybercrime. Now let's get back into the episode with Matt. Hello and welcome to Data Security Decoded. I'm your host, Caleb Tolan and today we have a very special episode for you. Over the past several months, we've had some incredible guests on the show to share valuable, actionable insights that you can do today to improve your organization's resilience. We've compiled some of our favorite advice from the show over the past several weeks for your summer listening assignment. Let's get into it. What would you say are three actionable steps that you would like to see defenders take across the board to best prepare for ransomware and be able to respond when they eventually are targeted?

C

Yeah, that's a great question. I mean, the three ways that I would really advise any defender to best protect their network include phishing resistant multifactor authentication, ensuring that like any checks better than no check, right? So even the text message multi factor authentications that I of course have, you know, on certain sites is better than nothing. But phishing resistant, right? Using codes, using apps, some hard tokens, some way so that there can't be anyone that gets in between you and the multifactor authentication code that you're receiving is really the best way to protect identity. So I would absolutely prioritize that as number one. Number two, I would ensure that I'm focusing. I mean, zero trust is a large thing, but just having defense in depth. And by that I mean it. You can build a wall, that's great. But some people figure out how to scale a wall. You need barbed wire at the top, right? If you have across your street there's three houses with walls with barbed wire and one without, which one's going to be, you know, broken into first. So making sure that you have some additional security in place is also critical. And finally, I'd make sure that all organizations and defenders understand that they are going to be targeted, they are going to be attacked. And to my point on AI, they're going to get in somewhere, probably onto your network. And I'd say this for an organization, but I'd say this for a grandparent that was just targeted with the elder care fraud calls that we see go rampant or the cryptocurrency fraud and other types of crimes related to that too. Is the most important thing to know is you're not alone. And to really you're not alone. You're also, you're a target no matter who you are, what organization you are. Which means you need to practice incident response. You need an incident response plan. You need to take it off the shelf, make sure it's accessible even if your networks go down. And you need to incorporate all the right people into an instant response plan. Not just it, but executive leadership, marketing, pr so you know how transparent you want to be. Especially if an actor's lying about what they did to you right in public, figuring that out. So really like these aren't going to sound new to any defender, but they work and they're critical and important to being able to rebuff but also be resilient from ransomware attacks.

B

Absolutely. Anybody who's been listening to the show for a while is going to note this, but I've, I've said this anecdote a couple of times, but it goes back to the conversation of eat your fruits and vegetables. Like all of the basics of security, hygiene still matter for the vast majority of organizations. So I absolutely resonate with that, with that sentiment that you shared. And so I know you spent decades in the public sector and now you're making a massive impact in the private sector. And I want to ask you for two inconvenient truths. One that governments need to accept to address ransomware, and then one that private sector needs to face to become better prepared for ransomware attacks to eventually happen

C

on the government side. And this is something that I used to really beat the drum for. So it's almost a confession at this point. But one item that government really needs to readjust its thinking on is the conversation on information sharing. It's important I get it right. More information, bringing it all together. It can't be siloed. But the private sector has so much data and even coming from my point vantage point of knowing what I want to tell FBI and like talk to them about it and provide over to them, I don't understand fully what would be most useful. And if I don't understand, I can't imagine anybody else understands exactly what would be useful over into government because I can't just send all of my data over. They don't even have the tools to be able to parse through it. Right. They're a little behind on AI and you know, that kind of data analysis capabilities overall. And so, you know, what, like, being more specific, what kind of information do you want? Why? How do we get it to you? But, like, kind of stopping, having this more generalized conversation around it and getting into much more specifics with private industry really matters here. I see on the private sector side as, uh, it's interesting. Helsan did a study of talking to CISOs, and we asked a lot of questions. One is, you know, how prepared do you think you are to be able to rebuff a ransomware attack? And, you know, I think it was about 70% said, yeah, I'm really prepared, right? I could. I could rebuff ransomware attack. And we asked a similar question. How many of you think that you would pass like a red team target? Like, how many of you would pass kind of that pen testing that testing people do of your network? Right? And about 70% said, oh, I don't think we'd pass. The ransomware actors act just like a red team. They act just like you're going to see companies that come in and are testing your network and they're trying to use your native tools against you and go across surreptitiously and really find, you know, what's most valuable. All those things, the same tools that we would see them use, we see the ransomware actors use. So I think there's this overestimation in the private sector about how prepared they are to rebuff an attack and stop it. And I think there needs to be more of, like, an honest accounting for how sophisticated cybercrime is. It's so, so much more sophisticated, different than it was just two years ago. Kind of understanding that and knowing you have to do things differently than two years ago as well is a critical to being able to protect your network.

D

Right?

B

Right, Absolutely. That's a very interesting juxtaposition there of those two responses. And I would have a couple of questions for that CISO who maybe gave those exact answers on that survey. But, Cynthia, it has been wonderful having this conversation with you. What is the most important message you want to leave with our listeners today?

C

I'm going to leave two. One is ransomware is so different than it was two years ago. Right. So make sure you're keeping up to date and re looking at how you're protecting. But the last one is that we should all be a lot more angry about ransomware than we are. We should be honest about what the impact it's causing, and we should be honest about Getting together and needing to work together to do something about it.

E

Foreign.

B

For the cloud administrator who's listening right now, who has a backlog of patches and have to address all of these different misconfigurations that, that are on the list to address, what are the three most actionable steps that you would recommend they take to harden their cyber resilience right now?

D

Yeah, I guess the one thing I would say is it's not just about squashing configuration misconfigurations because those are endemic, those are going to get introduced regularly. You're going to constantly be playing that game of whack a mole. So yes, that's important and yes, that should continue to, to, to be part of, part of the process. But widening your scope beyond that, thinking about survivability of data, I think is really critical. So applying those same concepts that we apply in the data center around immutability and air gapping for any sort of backup to ensure survivability of backup data is really critical. Mutability and air gap in the cloud is a thing. You may do it differently than you do it in the data center, but it's a thing. Right. And it still needs to be taken care of in the cloud as it does in the data center. The second is a focus on the identity system. I know that identity may not be a cloud admin's job, but understanding things like non human identities that get introduced into the environment, understanding things like just in time privileges so that you're not allowing admin privileges for any period of time for, for a long period of time to particular identities, understanding what my domains have access to in isolating domain domain data, incorporating things like domain separation into the environment is really critical. And then the last piece, I think this is something every cloud admin deals with is controlled sprawl. Yes. If you're new to the cloud, as you consume more services, I can guarantee you you're going to end up with service sprawl. You might end up with service sprawl on a single account initially, but you'll probably end up with service sprawl across multiple accounts, across multiple regions, and then even across multiple hyperscalers. The goal is to control that sprawl, understand what I have, understand what comprises my minimum viable business, and then I have a recoverability strategy across all of those assets. That to me is the third and obviously I think the most important one.

B

And so for the organizations who are either beginning or are in the middle of their cloud transformation, what are the two inconvenient truths that they need to kind of face as they go through that modernization.

D

Yeah, I guess the easy one here is understand the costs. Right. A lot of times we'll make very poor assumptions that moving to the cloud is going to be cheaper than being on prem the way hardware is nowadays. That may be the case in some instances. It's probably becoming pretty common where the cost equation could be more in favor in cloud than it could be in on premises. But understand what you're walking into. Understand the cost structure, understand how the hyperscaler charges you, you know, have EDP or agreements in place to, to. To save on that cost. And just understanding the cost structures in general and how the, and how that works is super critical. I guess the other thing that for me that I think is, is, is really important and for any cloud, you know, cloud forward organization is that not all services are created equal. Know the limitations of each service. A VM in the cloud may not operate the same way as a VM on prem and obviously from a configuration perspective it'll be very different. So understanding the differences between those services and how to best optimize for those services is going to probably get you to a better state, especially when it comes to resiliency of those services and how you get those services back I think are really, really important things for cloud admin focus on.

B

Absolutely, absolutely. Well Matt, thank you so much for your time. What is the single most important thing that you want listeners to walk away with today?

D

Yeah, I would say go and learn and get really, really smart on the shared responsibility model that the hyperscalers employ in the environment. And what that basically says is that the hyperscalers are responsible for the uptime and the performance of the service itself. What they're not responsible for is the data that you put in those services. And then treating the cloud like you would your data center. The data that you put in the cloud needs protecting, just like the data that you put in your data center. Don't just assume that because the cloud provider has your data that they're ensuring do care of your data. They're not, that's not their responsibility as dictated by the shared responsibility model. So really understand that, internalize it, build a resiliency framework that that is going to protect you and one that is going to meet the RTOs of the business. You have to look at the worst case scenario. This is the new reality we live in, is that we have to assume that a breach will occur. And when it does occur, how long is it going to take me to get my business back. And then doing that in the cloud is a little bit more complex than doing that in the data center. But it's the same problem. So treat it the same way.

B

What are the three specific hygiene metrics that they should report back to their CISO this week that actually correlate to reducing the blast radius of an attack?

A

So like the practical takeaway is really like where do you fall within, you know, a sector? But I know like generally we love to talk about threats in, in sector specific ways and it is absolutely applicable, but it's not a one size fits all approach to an organization. Like look at the manufacturing sector. If you look at the wide swath of that are considered manufacturing, they all have very different threat profiles. So really focusing on what is the thing that you create, what is the thing that is most valuable to you and what kind of threat actors would be interested in that sort of thing. So if we continue on the healthcare example, these are more exposed to financially motivated attacks. But you know, you've got sectors like government, energy, telecommunications that face higher level of, you know, the espionage centric attack. So regardless of industry though, the good news is like the general hygiene still is like the best way to defend against all of these attacks. So you know, you've got the identity hygiene. So reducing unnecessarily admin accounts, regular reviewing access, like we've talked about that ag nauseum, we still need to do it because that is still a great way to get into an organization. Second is the segmentation piece of things or blast radius control, as you were saying. And so in just ensuring that a single compromised entity, system, whatever it be, is not going to expose your entire environment. And then third, and these are, this is a tough one too, visibility across all of your entities. So service accounts, automated workflows, I would love third parties or your vendors in there as well. And then practice, practice incident response readiness is so important. I know we have drilled that in as an industry pretty heavily, but expanding what that readiness looks like. So not just an incident within your network, an incident with, you know, maybe a specific type of account, maybe with one of your third parties and really working through what an incident and recovery looks like with something like that.

B

So what are two inconvenient truths about identity resilience that security teams really need to start coming to terms with?

A

You know, just identifying all of those service accounts I think are always tough. And particularly now that we've got AI really being incorporated into every single network, what are those AI agents look like and how do we secure them? You know, I think that is the new frontier when we're talking about identity. You know, phishing is still going to work. I don't think we're ever going to get away from our end users being targeted. So it's going to look different again as MFA is everywhere. As you know, AI becomes, or AI agents become a broader part of the corporate environments. But, you know, people still have to log into their computers one way or another. And that is going to consistently be an area of opportunity for threat actors.

B

Absolutely. Well, Allison, my last question for you is what is the single most important message that you want to leave with our listeners today?

A

It's not all as scary as, you know, you might be reading. A lot of the basic hygiene that we've been talking about for years is still going to combat the majority of the threats that we're dealing with.

F

Foreign.

B

What are the three actions that defenders can take today to start improving their clinical cyber resilience?

G

Oh, my gosh. So email, it's like the front door. You need to lock the front door. And that goes like, if we talk about front door emails, one, like, have really good email security. If you do not have an organization like a basic email blocking system, invest in like a team that can also augment your security team on top of that. So it's not a product pitch, but we have like a for instance, second site that's a team. I run a team of hunters and I see firsthand how this could help. So funny enough, even the dprk, we stopped dprk, IT worker fraud against a major healthcare provider in the US and they're not using any malware, they're just talking to the HR department to get a job. And it's like we had to alert the customer. Or the HR departments are like, hey, that person is not named Caleb. That person actually has a different name and it's a North Korean operative. So you don't want that person in your network. So email and anything you can do to harden that is a great one. So we say like having an ability and it goes beyond remote management tools, an ability to monitor any suspicious behavior in your network. So having more grip on the, on the low bins, because that's kind of a common threat. If we, if we talk about what we've been discussing, segmentation still holds up. So any like the OT requirements that we have so your most vulnerable systems. And, and I know, I realize this, right? We know for a fact it's not easy for a medical supplier to Address a lot of these vulnerabilities because there's, I don't know, downtime or it makes it extremely difficult with patient impact and whatnot. So having segmentation in a network, not everything has to be connected is actually a healthy thing. And then lastly, I would say limit your attack service. So if you look at how a lot of these threat actors will operate is they'll scan your IP space and they look for vulnerable systems that are accessible through the Internet. And if you do this as a security team on a continuous basis and you can address these vulnerabilities and then it's not only, and this is very funny, it's not only the vulnerability that you have to plug, but you have to use threat intelligence. Threat intelligence about like, okay, which threat actors are leveraging this vulnerability? And how can I rule out that? Like yes, I put my finger in as a Dutch analogy, right, and put my finger in the dam. But you want to know like all the water that already came through, is that not like where, where are the piles and the puddles of water? So like where's. If the threat actor already got in, where could he hide? So proactive hunting in your environment is another thing. So I think I summed up a whole lot of stuff. So we have to detangle it probably.

B

Yeah, yeah, that's great. All right, next one for you is two inconvenient truths. What are two inconvenient truths that every security leader is ignoring right now in healthcare when it comes to data security? Maybe not every security leader, but maybe, maybe the ones that, that are, you know, have their rose colored glasses on.

G

Ooh, inconvenient truth. I would say you're putting me on the spot here, Caleb. I would say AI for data security is as much a savior as it is occurs. When I look at our data security solutions, it's a lot of times a lot of like our customers are like, hey Trellix, we love AI. Can we have AI to help identify sensitive data in our organization? So can you have your Trellix wise AI assistant help us identify data sets, codify them, label them, all that stuff. So we need to have on this side. And then the other end is like, hey Trelux, we have no clue who is using AI and if our intellectual property is going out the door. So it's like we have to embrace AI by making things easier for customers. But at the same time it's like how do we put guardrails on? And especially in the healthcare industry where, or pharmaceuticals where you're dealing with IP, the last thing you want is that somebody puts IP in the public ChatGPT function and then it's like, goes out the door and then it's out on the open. So for AI, that's definitely one inconvenient truth. It's as much a blessing as a curse if it goes with healthcare. I think the inconvenient truth is that kind of touches on data too, is for the longest time we've been thinking about healthcare or healthcare providers or hospitals and I've seen like the start of ransomware targeting hospitals because first that was like, oh, we don't do that, that's unethical. And for the longest time, health, healthcare providers and hospitals had something that I, I'd like to call the, the cyber Red Cross, the Cyber Red Cross syndrome. So, you know, like, hey, we're the Red Cross or the half moon, like, you don't attack us, we're, we're neutral or whatever. And I was like, no, that's, that's pass. That's no longer it. But that's still, that attitude still is prevalent within certain healthcare organizations. And by adopting that attitude, you limit yourself from a security standpoint because like, that moment has passed. And, and, and if any, like, even with the recent like, attack against Stryker, which has a medical tie in, and how the third actors were leveraging itunes to delete everything, yeah, you're a target. So like you need to drop that. And that's inconvenient because that like, yes, there are horrible people out there that have it out for you and it's either they want to disrupt you or they want to wipe stuff that you're doing to make an impact because they're acting on the name or acting according to a certain regime, or they just want to make money and it's pure business to them. So you better be, be prepared and make sure you have adequate security and investments in place.

B

I couldn't agree more. I mean, look, I put you on the spot and you gave two really, really good inconvenient truths. So, so kudos to you for that. And you've shared so many really, really actionable insights that our listeners can, can take away with them. But what is the single most important message that you want to leave the listeners with today?

G

Well, if there's one message, and that's also on the report, is that healthcare cybersecurity cannot be treated as a back office compliance exercise, I really think it has to be approached as an operational resilience and patient safety priority. And that's Kind of the two things we already touched upon. And organizations that do that well will be best positioned to absorb any attempts against disruption or. And they will protect the trust of their patients and they keep care moving along because that's what it is, right? You want to be able to provide the best level of care to all your patients, no matter what. So it's all about resilience.

B

What are the three actions that defenders can take right now to improve their resilience and their AI readiness?

E

Yeah, definitely. I think the technology is evolving right now. So that's why the frameworks are getting developed and then people are starting to deploy and all these things. So it's not as mature as it should be. So that's why the people are kind of facing the challenge. But from a practicality point of view, I would definitely suggest that see the agentic systems not as a consolidated system, but as a part of. In our framework, we are kind of saying three layers, but it depends on how you know if you are looking at attack pattern or let's say MITRE framework that are mostly driven by the type of attacks that are there. But see the problem from a different angle, like what are the components that are there? I would rather say that, stick to the architecture, say that. Just like in our case when we are saying that tool layer, the cognitive layer and the identity layer, and then decide and look at each layer because each layer is having some different set of challenges and they have the ability to do different level of damage at each layer. So look at the threat modeling of those things by looking at that part and then see where the challenges are and then trying to fix those. For example, in tool layer is very serious because that is actually the one that is carrying out the activity. It's interacting with your database, it is interacting with the internal stuff that you are trying to do. So make sure that it is running inside ephemeral containers. You have network segregations, you have firewalls in place. You are doing input and output validation of these things so that the tool does not really do anything wrong as per the environment. So though we have described the recommendation in our report in more detail and we have also given some insight into how the mainstream platforms are actually kind of have implemented to some degree these controls. So I do feel that the workspace isolation and sandbox, this type of isolation is very, very essential in deploying these systems.

B

Yeah, right. And Joe, I'll go back to you for this one. What are two inconvenient truths that every security leader is ignoring right now? That they shouldn't be about AI and human oversight.

F

Well, one, I would say probably the, the most inconvenient truth is probably the explosion of identities. It's just right now I think we're trying to get a hold of like what number it actually is. What's the ratio from human to non human identity? I know in past reports we've given numbers, we've quoted numbers from our partners as well. But I think we're at a point now where it's like, well, everybody has a different number. I think it's become a subjective thing and that you can thank AI for that, especially with the agents, I think. So that is an inconvenient truth. And I think it's obvious why identity management in itself becomes insurmountable task. Well, I shouldn't say insurmountable. Everything is possible, right? What I think is happening is it's moving so quickly that it's making it harder to catch up and manage. That's kind of what I'm getting at. The reason is that agent identities, just like I've used this in the past, like elastic infrastructure in the cloud, you can have VMs spin up and spin down in a matter of seconds, just like identities. That's kind of the same thing. We're in this elasticity with identities right now. The second inconvenient truth is what. I'll go back to the telemetry piece. There's going to be a lot of hard work here because it's a matter of like, I posed a few of the technical challenges. There's a lot more. And it's something that my team, or mit, myself and others we're currently trying to figure out. Like how do we actually come up with actionable telemetry for agentic AI, that one can handle the elasticity of different agents being created and destroyed and vice versa, all that stuff. That's another inconvenient truth because no matter what anybody says right now, like, oh, I have complete visibility into my environment, okay, you have visibility, but we're talking about observability, right? There's a. And the reason is there's a key difference. Like you may see all of them, but you are you actually observing what they're doing, right? There's a big difference to that. And that's what I'm getting at is that's the second inconvenient truth is like from visibility get to observability. So that's the second.

B

To your point earlier, the difference between visibility and observability is really like the context, like, yeah, you can see that they're there and that they're doing things, but are they doing the things that you want them to? Are they doing things that you don't want them to? That context, rich insight is really the difference between the two terms, for sure. Well, as we, as we close out the conversation here, I'll ask both of you the same question. I'll start with you, Amit. What is the single most important message you want to leave with our listeners today?

E

I think my message would be that, you know, AI is coming, definitely be responsible and deploy it with responsibility. That's what I would say. Otherwise the consequences could be very, very, very, very dangerous.

B

Yeah, right. Joe, what is your single most important message that you want to leave with everyone today?

F

We live in a scary world. I think we need to take a deep breath and really reflect on all the decisions that are being made. And I'm not talking about like, the greater. There's a lot of things happening. I want the scope down to just the AI problem, but I think it can relate to everything else as well. Reflect on the decisions you're making. There's a lot of doomsdayers as well as there always has, always has been with pretty much anything that's unhelpful. When you're constantly talking about how things are, are going to be destroyed, how jobs are going to be lost, how you know the world's going to end. That's never helpful. Just remember that and reflect on it and realize like, how we can leverage AI in a positive, beneficial way. I want the benefits to be realized from AI for the world, but I think security has a major position to live in within this because without us, without us protecting critical infrastructure, hospitals and things like that, you still need humans to do this type of stuff. Because we, we're building these things, we should be in the loop on these things, right? It's, it's like, I'll end it on this, right? Like, it's like organizing a party and no one inviting you to the party you just organized. Okay. You're being left out of the loop, right? No, you want, you want to go to the party you organized, right? It's the same thing with AI. Like, if we're building all these things, you should be very smart in terms of looping in the human, different checkpoints to make important decisions. And that's the message I want to leave on, is like, I'm tired of the doomsayers. I'm tired of like, this apocalyptic scenarios. There's always things going down and there always will be, but there's also a lot of positives in the end of it. So I'll leave it there.

B

That's a wrap on today's episode of Data Security Decoded. If you like what you heard today, please subscribe wherever you listen and leave us a review on either Apple Podcasts or Spotify. Your feedback really helps me understand what you want to hear more about and is one of the best ways to help support the show. If you want to reach out to me at about the show, email me directly at data-security decoded2k.com thank you to Rubrik for sponsoring this podcast. The team at N2K includes producer Liz Stokes and executive producer Jennifer Ibin. Content strategy by Mayan Plout Sound design by Elliot Peltzman Audio mixing by Elliot Peltzman and Trey Hester Video production support by Bridget Kirkey Wild and Sorel Joppi. Until next time, stay resilient.

E

Sam.