Webinar Transcript
Chuck Minguez
All right well thank you everybody for joining in or who may be listening in later. We are very excited today to have Dr. Torsten George here with us. He is well let’s say a global traveler.
He is well-renowned for his work in cybersecurity and also the VP of Product Marketing at ConnectWise. Super excited to have him here today. He’s got 30 plus years in IT and cybersecurity and also the author of Zero Trust Privilege for Dummies.
And today we’re gonna be talking about a couple of different things. Well I should say Dr. Torsten will be talking about a couple of different things. We’re gonna be talking about emerging cybersecurity threats industry standards and regulation compliance landscape and why that’s so important.
Dr. Torsten is gonna talk about the effectiveness of cybersecurity frameworks and then also what does it look like resource-wise for allocation and budgeting for cybersecurity. And then we’ll have some time at the end for some Q&A. So thank you again Dr. Torsten for being here and I will turn it over to you.
Dr. Torsten George
Well thanks. And by the way you can call me Torsten that’s fine.
Chuck Minguez
Torsten works sounds good. Yeah.
Dr. Torsten George
So I mean before we start I wanted to kind of set a common language. So when we talk today you will hear terms like attacks events incident and breaches. So just to define that upfront an attack is really an attempt to bypass an organization’s security efforts but there are millions of events per second that occur.
They’re not necessarily successful. An event there’s a difference to the attack is where it has bypassed one or more levels of security but it really did not require human intervention to resolve. What’s an example?
For instance you can have identity access management solutions in place that detects that there’s an unauthorized request and it basically blocks that request. It doesn’t allow the attacker to progress and that’s called an event. And then we have incidents.
An incident bypassed one or more levels of security required human interventions to correct it meaning there’s a security analyst that will take actions but the hacker was not able to exploit retrieve exfiltrate any information. So that’s an incident. And then worst case scenario that’s where it’s nicely done in red is a breach.
So you bypass the security controls and you might modify delete extract or read data. That’s what we call as a breach. And so just setting a common language here so that we’ll talk later everybody understands what we’re talking about.
So Chuck asked me kind of hey we started talking let’s talk about emerging cybersecurity threats. So I get up every morning at 4.30 I’m an early bird. And one of the first things that I do is I check out the news.
And unfortunately for instance Security Week is a very good source. You hear about data breaches and incidents almost every single day. And so it’s quite stunning.
And especially if you’re in a small business it can be fearful overwhelming. What should I do? I don’t wanna be part of any of those headlines.
And one of the first thing that always comes to mind who might come after me? Who might try to attack me? And so we all obviously watched some of the movies where you have this hooded guy sitting in a dark room or you have legions of people sit in front of kind of computer monitors and just hacking away the so-called state-sponsored attackers.
Reality is quite different. If you open the arrest warrants of some of these hackers you will be surprised. It might be your best friend.
It might be the granny next door your own team or the Boy Scout that you bought your popcorn from. So these are normal common people. It’s not necessarily that stereotype that’s being presented in the movies.
And quite frankly when you look at who are the real adversaries 65% of attacks are driven by external adversaries. Predominantly these are cyber criminals. These are not state-sponsored attackers.
It’s about state-sponsored attackers that make up about 2% to 4% of all of the attacks. Primarily criminals that are trying to get money out of their actions. 35% of attacks are originally anything from internal threats.
These can be by humans that make mistakes or by malicious insiders. And you can see there’s an uptick. There has been a 15% increase over last year.
And you might now be wondering why is that? We always see these upticks in times of economic hardship. We have seen high inflation rates.
People had to look out what money is left in their wallet. And so they are more open. They can get approached by an attacker and say just give me your credential.
I pay you $2000. That’s all you have to do. You’re not actively doing something.
Just give me your credentials. And that’s very tempting $2000 correct? And so that’s where we see this uptick.
And you can see when it involves partner that’s close to 0%. So that’s the real cyber adversaries correct? But then we also read a lot of these headlines about oh zero-day attacks and distributed denial-of-service attacks DDoS attacks.
There are basically connected devices or botnets that are being used to overwhelm a victim’s website or their network with traffic and take that down. But the reality is and here again the nomenclature comes into play it’s very rare for DDoS to feature in a confirmed data breach. It’s an incident.
It’s not a data breach. There’s no exfiltration of data associated with it. And then over the last few months we have heard a lot about zero-day attacks.
And it appears that man this must be a very common tactic that is being used. But the reality is only 0.4% of the total number of vulnerabilities that have been exploited over the last decade have been zero-day vulnerabilities. In reality unfortunately we still face a problem where we are overwhelmed with the number of vulnerabilities that we might detect within an organization and we don’t know where to start.
And a good example is the Poodle vulnerability which came out in 2016. And most companies initially completely ignored it. It had a CVS score of 7.8. Nobody moves their hands before it is 8.5 and above. And so nobody really jumped onto the background and then to patch it. But it was actively exploited and it became a big issue. But even today almost 10 years later the same vulnerability exists in many of the organizations.
And that’s what attackers take advantage of. It’s not necessarily zero-day attacks. So now our audience might scratch their head and say okay this guy is saying these things are not in play.
But what is really in play? What are the things what are the real tactics techniques and procedures? Well it’s still the same old story.
It’s about social engineering phishing. It’s about weak stolen or otherwise compromised passwords that really make up the majority of initial attacks. And so the thing that we have to keep in mind today’s reality is hackers don’t hack anymore.
They lock in using weak default or stolen or otherwise compromised credentials. I can go right now to the dark web. And I can pull up repositories of passwords.
And I can pay a couple hundred bucks. I get thousands of passwords. And now I can basically try out these passwords if they work in specific accounts and the likelihood that they work is very high.
Probably high yeah. Yep yep. And so this is the reality.
And it’s really a recent example is the Snowflake data breach. If you were a Ticketmaster customer you have definitely heard about it. My wife had tickets for a pop concert.
And suddenly her tickets she got an alert that her tickets got transferred even though she didn’t transfer. They were gone. They were no longer available.
And this was a consequence of this data breach because the attacker had access to the data. They were able to access the account change the phone number so that when they would get a multi-factor request that they can answer it. And they transferred the tickets.
Obviously Ticketmaster reimbursed her for it. But this is a good example. Snowflake is holding huge amounts of data for different companies.
Ticketmaster one example. The other one which is a far bigger impact for all of us was a background checking company out of Canada. It’s being used in North America predominantly.
It’s the number one background checking company. So if you apply for a job if you are in interaction with law enforcement if you apply for a passport this is the service that’s being used. So that database was holding social security number everything.
And unfortunately Snowflake did not use multi-factor authentication. So a compromised credential from one of their employees at a third-party company allowed unauthorized access to all these different data lakes. And that shows how important it is to really focus on the things that matter most.
Chuck Minguez
And Torsten can I jump in real quick and answer your question? So outside of the internal threats maybe being solely based on like a monetary payout for somebody working for an organization if the data keeps showing us that it is human error why do you think that is? Is it solely just education?
Is it why does that keep happening? What’s your view on that?
Dr. Torsten George
I mean when it comes to insider threats there are a lot of people that configure things wrong that contribute to data breach. We had examples at Marriott. There was an employee that was responsible for their AWS cloud configuration.
And they simply made mistakes when they configured the security settings. And that left their AWS data lake open to the public. And so insider does not always mean malicious insiders.
It can be really people that are making mistakes. But the human factor across the board plays a big role in an external attacks as we talked about because we are all probably guilty. We use passwords for private purposes.
You kind of protect your bank account and most likely use the same password for your work account because it’s easier to remember. And so these are kind of our human shortcomings. So another thing that Chuck was saying okay so now that we have all these attacks going on and all these bad things happening what’s happening from a industry standards and regular compliance perspective?
Who’s really kind of guarding us? And it’s kind of interesting to see because the reality the bitter truth is it’s no longer a matter of if but when an organization will suffer a data breach. And so many industry oversight agencies as well as the governments have realized we have to step in here.
We have to protect citizens but also businesses and we have to give them guidance. And so you have this pyramid there are laws like FISMA and HIPAA there are decrees like HITECH and the IRS even has specific stipulations around cybersecurity. And then you have government regulations be it on the privacy side GDPR obviously top of mind you have DHS and other organization kind of issue regulations.
And then on top of that many industry association like PCI which is probably one of the most prescriptive regulations that you can find NERC for the energy electricity area they provide common advice as an oversight agency. And then you have industry standards like NIST the ISO in Europe CIS. So there’s a lot of things that is being done but again it’s almost overkill.
There are 900 oversight agencies worldwide and there are about 200 daily regulatory updates that are being published. How would you keep track of all of that? And so it’s really tricky as a midsize company on average you’re dealing with 17 industry or government regulations.
If you have a larger company that bypasses more than 70 regulations and that’s why they normally have their own governance risk compliance departments that are just looking after what are the changes how do we apply this? But another thing is back in the day we thought when we follow these regulations and we check the box to get certified we’re secure. But I think the reality has proven that’s not true.
It’s checkbox mentality doesn’t necessarily help here. And quite frankly there are some frameworks out there that are probably providing better guidance than others and that was another question that Chuck came up with kind of okay we looked at this whole field of regulation standards what are some of the effective cybersecurity frameworks? And when he asked me that question I kind of I was torn.
I mean obviously NIST for me the NIST cybersecurity framework was a milestone in the cybersecurity industry because there were two things that really characterized this standard or guidance. One is that it was starting to think in particular pillars how to operate your cybersecurity how to establish it. Initially it was about identifying protecting detecting responding and recovering.
In the 2.0 version they added a new pillar which is around governing. And I think having these buckets help anybody that is tasked to kind of look after compliance and industry standards to at least structure their thought process accordingly. The second unique thing about NIST cybersecurity framework was that it deviated from that traditional view of checkbox mentality.
It introduced risk as a new guiding principle. I’ve written once an article where I stated risk is security’s new compliance. If you do it right unfortunately not every organization has transitioned to that approach yet.
But just I mentioned poodle vulnerability earlier correct? So it has had a very low CVS score compared to others. So I would say okay my risk exposure is low but I’m not taking the entirety of context into account.
Because if I would have known that at this specific time it’s being exploited actively in the wild I would have no longer listened to the CVS score. I would have now changed my approach and said oh this is really a big exposure. There’s risk immediate risk associated and therefore I would fix it.
So having this risk-based approach was a game changer. So you have to give a lot of credit to NIST. And then I don’t know what the mix of our audience is if you’re a small business if you’re a medium-sized business or a larger organization but for the first time in version 2.0 NIST focused in on a small medium-sized business. They created for the first time a small business quick start guide which gives more practical guidance on how to apply these 100-plus controls to your environment.
So it was very nicely done. Finally they acknowledged this is a framework that’s being consumed not just by government not just by a large organization but even by a smaller organization. I just referenced more than 100 controls.
This might be still overwhelming correct? And that’s why I second-guessed myself and said hey let’s take a look at another framework which is simpler. And these are the CIS controls.
That’s the version eight. It’s the latest version. There are eight controls 18 controls.
So I should be able 18 controls that should be far easier to manage correct? And you can see that access control management data protection data recovery these are some of the things that you kind of underlying heard earlier when we talked about attacks credential abuse weak or stolen compromised passwords. This is covered in these controls.
And so while it’s quite condensed I think it really goes down to the basics. If you’re still saying hey 18 is still too many for me well guess what? Our friends in Australia the Australian Cyber Security Center they have their essential eight.
So it’s about application controls especially nowadays that we access applications in the cloud. It has become very important to secure that because a lot of our sensitive data nowadays resides on salesforce.com or in other SaaS application patching your applications configuring your Microsoft Office environments accordingly hardening your environments restricting privileged access for the people that really have access to your crown jewels automating your patching practices. And as I mentioned earlier multi-factor authentication there’s been a lot of articles written recently that it’s no longer as effective as in the past.
But I tell you I know a few hackers be it white hackers or the real hackers. And when you talk with them they will tell you for them multi-factor authentication is a major deterrent. Hackers don’t wanna spend much time.
They wanna get in and out as quickly as possible. If they have to spend days to figure out how to break in they move on to the next victim. And so multi-factor authentication is a low-hanging fruit.
And then daily backups. So here you have eight things. And I think definitely boiling it down to eight things should really help you.
Chuck Minguez
Yeah it’s digestible right? Yeah. Yeah.
Dr. Torsten George
Yeah. Yeah. And so now you might say okay so you talked about the threats the threat actors.
We just talked about okay I’m required even if you wanna take out cybersecurity insurance. Insurers nowadays say oh you have to have specific controls in place to make me feel more comfortable that you’ve limited my risk exposure. But how do you spend your money?
You have limited funds. How do you allocate that? Where should I spend it?
There’s so many security tools out there. I mean we’re spending as an industry hundreds of billions of dollars every year but we still experience these data breaches. So what do we have to focus on?
And here it’s my recommendation is take a step back and think like a hacker. Understand the approach that a hacker takes correct? Going back to the tactics the techniques the procedures.
So again if password hacking phishing scams malware are important and they’re at the front end of the cyber attack chain if I have a big impact there if I can stop it right there they will never get to the server that holds the crown jewels. And that’s my goal to really correct that cyber attack chain break it very early. Same with insider threats.
If they have privileges correct and if these are standing privileges that’s a bad thing. You should have just-in-time privileges. Only when they need access they should get those access rights.
And then really typically once they’re in and that’s normally done in 68% of cases the endpoint of the worker is the beachhead into the network. So again endpoint becomes very important because from there then now they’re scanning the network they do their reconnaissance and they’re moving laterally they’re hunting for more credentials higher privileged access credentials that give them more access to the crown jewels. And so if you have this attack chain in mind quite frankly it makes it a little bit easier to allocate your resources.
For me personally I always talk about back to the basics so you should reassess your cybersecurity priorities. Increase security awareness. If people don’t know what to look for they can’t react to it correct?
I’m very proud. My sister just went off six weeks ago to college in San Diego and last week she texted me kind of Dad is this a scam is this a threat? And she sends me a screenshot of an SMS message that she got as usual the urgency click on this link.
She learned from her dad she learned from security awareness training what to look out for the urgency what is the email address domain all of these things. So training comes in very handy. And then new emerging technologies that are not just kind of doing quizzes they’re quite interesting concepts where you watch almost like Netflix-type movies that educate you.
And then there are new tools out there that are even simulating with the help of AI specific scenarios of incidents where the employees are being asked how would they respond to it and based on their response they get kind of scored and you can address any type of gaps. The second thing to focus on to put funding behind is go beyond passwords. Really look at multi-factor authentication.
Again very low-hanging fruit very affordable. If you have privileged users that have access to your crown jewels on servers apply privilege access principles there. And then if you wanted to go out Zero Trust where really you don’t trust anything there are some very affordable solutions out there that are offered by Chuck and others where you can really step up your security efforts tremendously and really go far beyond the password.
The other thing that I mentioned one of the early beachheads into an organization are endpoints. So why not leverage endpoint detection response? And if you don’t wanna do that yourself reach out to Chuck.
He can manage that on your behalf. You can lay in bed read your book while he and his team will take care of it.
Chuck Minguez
And he’ll handle it for you yeah.
Dr. Torsten George
Yeah yeah. And then last but not least there is no 100% protection. If you have vendors come to you and make that promise throw them out the door.
It’s not true. There’s no 100% protection. And if that’s the truth then you have to think about how do I make my business resilient?
And that starts with data protection for your endpoints for your SaaS application. And that’s a blind spot. If you have Microsoft 365 if you have Salesforce you believe that those vendors back up your data and secure the data.
No. There’s a shared responsibility model meaning you’re responsible for that. They take care of the infrastructure but you’re responsible for that data.
So it’s important to back that up too. And then if you leverage cloud environments like Google Cloud or AWS Microsoft Azure you also have any data that’s there you have to back that up and do that in an efficient way. Again Chuck can help you here because there are solutions out there that really cover all aspects in a single console.
And so it makes it very easy. And so that’s my recommendation. It’s kind of the best cybersecurity on a beer budget.
If you focus on those four areas you cover probably 98% of all TTPs that typically cause data breaches. So it really minimizes your risk exposure. So that was what I had to say.
Do you have any questions or the audience?
Chuck Minguez
Yeah actually I wanted to ask you real quick too about the last slide with EDR. Sometimes when we’re talking to people they’ll say well I already have an antivirus solution in place. Can you talk a little bit about how EDR is different from antivirus and maybe why antivirus alone is not necessarily the strongest tool to have in your tool belt?
Dr. Torsten George
Yeah I mean we hear that unfortunately quite often. So antivirus was one of the first tools available for endpoints and it was great at the time but the threats have emerged the malware and virus combinations. There’s so many variants out there on a daily basis that antivirus can’t keep up.
Antivirus is a signature-based approach. I need to know that signature meaning I look at the endpoint and I compare what I see on the endpoint with my database of known signature. If I have a match then I throw an alert.
If I don’t have a match I don’t throw alerts. The problem is today most of the malware and viruses are not known at the time. That is one drawback.
The other one is that the frequency of scanning is far more limited compared to EDR solution. EDR is continuous monitoring. Antivirus is let’s say once a day once a week.
So there’s a huge gap in between. It also doesn’t come with all full-blown capabilities. With endpoint detection and response those technologies allow you for instance to automatically roll back if there’s an exposure.
So you’re still operational. You’re not kind of impacted. Antivirus tools don’t do that.
Obviously antivirus over the time has evolved. And what we see there are vendors like Bitdefender out there that combine in their EDR solutions still traditional antivirus components but EDR is basically the label on the product. But yeah we see this right now.
We’re talking with many of our partners where we try to give them an incentive to move from antivirus to EDR. We get two arguments. One is price. Quite frankly yes antivirus is still less expensive than an EDR solution.
However if it exposes you to bigger risk and makes you even potentially liable I’d rather spend a dollar more to close that gap. And the second thing that we hear is that endpoint detection and response is a quite sophisticated technology and suddenly you might get overwhelmed with all the alerts that you’re getting. And that’s really where the second item here on the slide manage EDR comes in where you could leverage your MSP that takes that off your plate.
You can still focus on running your business and the MSP their team of experts are now looking at the alerts and they will only inform you of the real significant troubles that are happening. And so that’s again that’s something that can be easily addressed if that’s a concern.
Chuck Minguez
Perfect yeah thank you for that clarification. That’s great. Then we have two questions.
Kyle’s got some great questions. The first one how can an organization reasonably protect data outside their direct control with a third party?
Dr. Torsten George
So if you have data in a SaaS application or in cloud environments again there are technologies out there that are integrating into these third party solution and are able to back up the data and recover the data. And that’s the important component. Back in the day we always thought solely about backup but the recovery part is a very important component.
Yeah and so these technologies exist. And then obviously supply chain attacks have become very common nowadays. I mean the Snowflake example that I mentioned that’s a good example.
So obviously the very typical approaches you’re asking for filling out a vendor risk assessment when you engage with these people but in reality you should go beyond and even ask if they’re having specific certification be it SOC 2 be it ISO 270 ISO 7001 FedRAMP any type of this would show us what type of threat of security controls they apply to their environment.
Chuck Minguez
Very nice thank you for that. And then another great question too. So Kyle was asking about talking about the value of SIEM backed by a SOC.
Many people I talk to think of it only as a valuable after an incident. So why should they pay for it up? Why should they pay for it upfront?
Dr. Torsten George
Yeah I mean the lines are blurring correct? The SIEM system was used in the past to consume log files to do in reality forensic analysis because log files are historic data. It’s not real time data.
It’s historic data that I query to see are there any things that I missed and hopefully find it before something bigger happens. So that’s what the SIEM equates to. Obviously to operate the SIEM there’s a lot of fine tuning required and there’s a lot of expertise required.
Because again I can only react to something as I see something. To see something in the SIEM I have to ask the right question meaning I have to be a querying expert and a cybersecurity expert to ask the right question to my data to get the proper answer. A lot of especially smaller and midsize businesses don’t have that expertise.
They can’t afford this expertise. And that’s again where an MSP can come in to augment talent and help with that. Obviously there are new technologies called XDR that have emerged where it’s now real time monitoring.
So you could argue that XDRs depending which vendor you listen to the SIEM vendor or the XDR vendor there’s a big war going on right now. Who provides more value? I still believe that locks need to be preserved.
Simply there is obligations under regulations whereby for forensic analysis for post-mortem analysis you have to have access to that and the SIEM can help aggregate that data without you having to spend months to pile up that same data.
Chuck Minguez
Very nice. Perfect. Thank you.
Yeah great questions. Anybody else have any other questions? You can feel free to come off mute or drop them in the chat.
Great information. Al says thank you.
Dr. Torsten George
Thanks. Thanks everybody. Again if you have any questions feel free.
Don’t be shy. Mutlu anything from you or Stephanie Janet anybody? Happy to answer any questions you might have.
Chuck Minguez
We can Torsten would you be okay when I send out updates to include a link to your LinkedIn profile?
Dr. Torsten George
Most definitely. And again thank you. I know we all have a busy schedule but thank you for taking the time out of your busy schedule.
And Chuck and I talked earlier our thoughts and prayers are with the people that are on the path of the hurricane that impacts the southern part of the country. We keep our fingers crossed that everybody will be safe. And again thank you for joining.
Chuck Minguez
Yeah thank you for being on today Torsten. I really appreciate it. And we’ll be in touch.
And again if anyone needs some help with some NIST assessments we’ll send out some information on how we can get you started with that. All right have a great day everybody. Be well be safe.
And thank you again Torsten.
Dr. Torsten George
Thank you.
Chuck Minguez
Have a great day everybody. Bye-bye.