By Kiley Lambert, Bloomberg Live
At Bloomberg’s most recent enterprise security event, Optimizing Security for the Long Term, Bloomberg Cybersecurity Team Lead Andrew Martin and Bloomberg Cybersecurity reporter Kartikay Mehrotra hosted conversations with key voices and leaders in the enterprise security space, including:
- Vanessa Pegueros, Chief Trust and Security Officer, OneLogin
- Alex Rice, Co-Founder and Chief Technology Officer, HackerOne
- Jon Oberheide, Co-Founder and Chief Technology Officer, Duo Security
- Tami Erwin, Senior Vice President, Verizon and Group CEO, Verizon Business
- Andrew Martin, Cybersecurity Team Lead, Bloomberg News
- Kartikay Mehrotra, Cybersecurity Reporter, Bloomberg News
Click here to view video of the full discussion.
On organizational vulnerability
“Users and their access represent the soft underbelly for most businesses,” Jon Oberheide, Co-founder and Chief Technology Officer at Duo Security, said. He added that over the past five to ten years, the focus for attackers has shifted from networks and servers to end users of organizations.
“It’s really unfortunate when we move toward blaming end users for security,” Oberheide added. “‘Don’t plug that thing into your computer. Don’t open that attachment. Don’t click on that link.’ These are the activities that you have to do to be on the internet and to be a productive individual in your organization. So we need to move from the model of blaming the end user for just trying to do their job and try to meet users where they are in terms of their accessibility to technology, their adoption, their usability.”
Companies should not make their employees “jump through a bunch of hoops” security-wise to do their jobs as it could inadvertently push them to use easier and far less secure options.
HackerOne Co-founder and Chief Technology Officer Alex Rice agreed, adding that an unfortunate trend he’s seen develop in response to recent high-profile cyber attacks has been the “classical cynical” response to place most of the blame for these breaches on end users. “We should expect humans to fail, we should plan accordingly, and it takes a lot of work to get there and we need to be investing in making our technology more resilient to defend against situations like this.”
Companies have also had to speed up their deployment and rush to implement these new technologies, Vanessa Pegueros, Chief Trust and Security Officer for OneLogin, said. This means that there is a degree of responsibility for security that falls on the end user.
“I’m going to be a little harder on the end user than Jon and Alex,” she said. “I think there are some real obligations that end users have.”
Things like not letting anyone in your household use your work computer, doing work on only your work computer, not downloading applications that aren’t directly related to your job on your work computer, not opening suspicious email attachments are all good “common sense” practices.
“I know humans aren’t perfect but that doesn’t relieve us from making sure that we educate them as much as possible,” Pegueros said. When it comes to basic digital hygiene and safety, she thinks,”it’s perfectly legitimate to push end users to a common sense approach”.
On the threat landscape
“A lot of the focus has been on the tactics and the techniques and the lures that people are using and we should just be reminded that criminals are always opportunistic,” Rice said, adding that this time is really no different in that regard. “What’s meaningfully different about the threat actors and the threats that organizations are facing now is not that the bad folks have changed or that their goals have changed. It’s that the attack surface has increased dramatically.
“Organizations that weren’t prepared to treat their home environments and many of their end users as front-and-center attack surfaces for their enterprise are the ones that are struggling the most to keep up here.
“Don’t spend too much time worrying about the flavor of the week attack and spend a lot of time really assessing what are those new attack vectors for us in a home environment post-Covid.”
Pegueros added, “Crime as a service is a real thing and with a complete supply chain of products and services.” She said that as the accessibility and ease of use for this kind of crimeware has increased, so have the number of bad actors.
Oberheide explains how it’s easier now to compromise the average organization than it was back when he was a high school hacker. He cited the evolution of information technology over the past two decades as a big reason. “It used to be a little more simple to reason about our IT security when everything was literally within your four physical walls.” Employees accessed applications, networks and data using devices that stayed within the confines of a physical office, which made it easier to construct a robust security apparatus.
“We built really high walls of the castle and then put a moat around it and that was sufficient to protect our organizations.”
But that kind of structure doesn’t make sense anymore, Oberheide said. Remote work, a wide range of devices being used, cloud environments, mobility, all of those things that have made employees more productive and companies more competitive also represent significant, and relatively new, security risks. “The positive side of productivity also represents the risk of account takeover, phishing, of device compromise,” he said. So when you move to a work-from-home environment, you exacerbate all of those factors.”
On “The Basics” and what every company should do right now
“A lot of organizations still aren’t nailing the basics,” Oberheide said. “Who are all your users? What are their devices — are they safe, are they risky, are they up to date? And how do I provide seamless access to applications in this new world?”
Every CEO should be able to answer those three questions, Oberheide said. “You can tell a lot about the maturity of an organization’s security program by how quickly and how precisely they can answer those questions.”
Getting the basics right is not necessarily easy, he said, but focusing on those fundamentals can create a structure that allows your limited security teams to put their energies toward meeting higher-order threats.
CEOs should also be asking how environments are being monitored continuously, Pegueros said. “Having the tools and systems in place, and, most important, how do I monitor and understand what’s going on in my environment?
“The most sophisticated attack could start with a phishing email. We don’t know what that initial attack is going to evolve into and how sophisticated the attacker is. So being able to track that activity through your environment” is critical to recognizing when a little attack has become something much more threatening, she said.
Pegueros added that ensuring that priorities line up with security expectations should be top of mind for company leaders as well. “You have to relook at your portfolio of initiatives and ask which of these is much more critical now than it was prior to the crisis?” she said. “Taking that business look and getting broad adoption across the business around that re-prioritization is probably the most important thing” leaders could be doing right now to improve their security postures.
Rice reiterated that end users’ work-from-home arrangements are almost always less than ideal. “To put it into context, if any part of your security model is dependent upon your work-from-home end users’ consumer-grade network being secure, then you should really be reassessing your security assumptions and your security posture,” he said.
“Your old perimeter is just a lie. We have to get out of that mentality of these high walls, and if you try to extend that to somebody’s house, it’s just not going to work.” Companies need to focus on getting the basics right, no matter how difficult it might be, he said.
“The most important thing to get right is get everyone aligned that this is not temporary. This is permanent and we need a longer-term strategy for how we accelerate this and get this going. That’s the hardest thing to get right and the most important one to set up first.”
It’s not if, but when
Tami Erwin, Verizon Executive Vice President and Group CEO, Verizon Business, said that as her group tracked the growing crisis in Asia, then Europe and finally in the U.S., they were working closely with their customers to build out business continuity plans, while also preparing Verizon Business’s own 25,000-strong workforce to transition to remote work. This preparation laid the groundwork for Verizon Business to move 99 percent of its workforce to remote work in just one week’s time, she said.
“For us, a big part of [the transition] was making sure that they had secure VPN capability,” she said. “With our employees, making sure that we’re clear about the expectation around credentials, so that people are doing the right thing every single day with credentials and capability.
“And then more and more of our customers are asking us to do monitoring so that we can be proactive in assessing where we believe that, based on incidence reports that we’re seeing and have access to from a network standpoint, we can raise the flag early.
“I think what businesses all acknowledge today: it’s not if I’m going to have a security problem, it’s when. And when I have it, what actions will I take.”
The Covid effect
Erwin said that although cybersecurity has been a growing focus over the past few years for the businesses she works with, the Covid-19 pandemic has definitely accelerated the search for solutions.
Echoing Rice’s comments regarding the “attack surface,” she said that remote work has meant that information and data that might have been largely contained when offices were open have been dispersed into millions of homes, each with their own set of vulnerabilities.
“The bad guys are busier than they’ve ever been before and therefore what we’re seeing are that businesses are more concerned than ever because they feel like they have less control,” she said. And it’s not limited to any one sector. “I think, right now, public, private and, in particular, SMBs are under attack because of the lack of tools and capabilities.
“When you look at what’s happening as a result of Covid, I think our entire worlds are changing as we think about how will we operate today, how we will operate in the future, what are the things that we love about what we’ve learned from Covid because we have learned a lot.”
The pandemic has forced many companies to step up their timelines for implementing digital strategies, she said. “Covid created the moment that said you have to go digital. And when you acknowledge that, when you adopt that, then you have no choice but to build security in as one of the critical platforms to enable and protect your assets.”
Erwin said that companies being forced to adopt new and permanent security structures as a result of being rapidly forced into remote working arrangements is one of the good things to come from the crisis. But there’s obviously still work to do.
“I think it’s been a wake-up call,” she said. “It’s been positive for the overall industry around digital transformation, around protecting information and around making sure we build processes and protocols that protect that information.”
This virtual briefing was Proudly Sponsored By
Join the Conversation: #OptimizingSecurity
LinkedIn: Bloomberg Live
Interested in more Bloomberg Live virtual events? Sign up here to get alerts.