No Kicking the Can in Cyber Defense: Invest Wisely Now or Pay in Multiples Later
A Conversation Between Christopher Skroupa, Skytop Editor-in-Chief, and Mark Bowling, Vice President of Security Response Services, ExtraHop / November 17th, 2021
Mark Bowling is Vice President of Security Response Services at ExtraHop, the enterprise leader in cloud-native network detection and response. Building on his three decades of experience working in government with the FBI and Department of Education as well as in private consulting,
Mark works directly with ExtraHop customers across multiple sectors including finance, healthcare, retail, manufacturing, and government, helping them respond to complex cybersecurity incidents quickly and in compliance with regulatory frameworks including NERC, SEC, HIPAA, PCI-DSS, ISO, GDPR and CCPA.
He also advises customers on risk management and mitigation strategy. His competencies include cyber threat and risk assessment, incident response, internal investigations, critical infrastructure protection (CIP), regulatory compliance, and disaster recovery. He also has experience in strategic risk management and business continuity planning.
Christopher Skroupa: Mark, it seems that corporate leaders see cyber as an intrusion, one that might result in an insurance claim, as opposed to a white collar crime that pays the perpetrators very well. Do you agree?
Mark Bowling: In general, that is an accurate observation. So in short, I agree with your statement. I want to parse your statement, though. Many corporate leaders see the need to take appropriate risk management actions as an intrusion into the other aspects of organizational management.
There are notable outliers though. Companies that have a strong understanding of enterprise risk management actually get it. Generally, that includes insurance companies and financial services companies who make a business of understanding risk and how to manage risk.
The companies that successfully address cyber security are those who fundamentally see cyber security as one of many aspects of enterprise risk management. Frequently, it is seen as one component of loss prevention, particularly in the retail world. Technology companies identify cyber security as technology risk management and employ controls the same way they would around technology project management. The solution is to understand the scope of the risk, to acknowledge and appreciate the threat actors, and then to quantify the risk.
Now pivoting to the white collar crime aspect; cyber crime pays, and pays extremely well. Because it pays so well, there is a tremendous financial incentive for cyber criminals to take action to attack, compromise, and then breach numerous victims. Cyber criminals are sophisticated, motivated, and compensated, and because of those three attributes, they are persistent and successful.
Most cyber actors, with the exception of the nation-state sponsored Advanced Persistent Threat (APT) actors, are simply organized criminal enterprises (OCE). Frequently these OCEs operate with the tacit acknowledgement of the countries in which they take refuge and operate from. Because of this, there is little effective deterrent. So the only way to stop them is to take all necessary and appropriate defensive actions to protect your network.
These defensive actions include preventive controls, detective controls, corrective controls, and protective controls.
Christopher: Chuck Brooks, one of our contributing authors, says that cyber breaches cost companies $10 trillion a year and that it is growing at an alarming rate. How do you explain this? It seems that if this loss was realized through operational or other risks that shareholders would be demanding swift and effective corrective action.
Mark: Mr. Brooks is 100% correct. While I can’t verify the accuracy of the $10T number, he is absolutely in the correct order of magnitude. What is more important, though, is the rate at which both the number of cyber breaches is growing, and the relative cost of those cyber breaches.
It is frustrating, almost maddening, to see companies continue to be hit by Ransomware actors. And I actually don’t love the use of the term Ransomware anymore. Ransomware was appropriate for payloads delivered as attachments to email, such as the first-generation malware encryption payloads. The second generation of Ransomware still fit this description, as it would self-propagate through a network, such as with NotPetya and WannaCry.
But now the actors resemble the APT through their sophistication, lateral network movement, and persistence. A better term would be the Extortionate Persistent Threat.
I would explain the rapidly growing losses and the total amount of the losses due to three factors:
The first is simply that the executive management (EM) of these companies, including the C-Suite and the Boards of Directors, are not doing their fiduciary duty to the stockholders and employees of the company. The evidence of this failure is evinced both by the number of breaches and the overall cost of the breaches. EM has the responsibility to ensure that they are informed of the risks, and to take all appropriate action to protect the company and the investment of the employees and stockholders. Ignorance is no excuse, and neither is inaction. The stockholders, and if necessary the government, must begin to hold executive management accountable for the failures on their watch.
The second is the inattention paid to technology in general. It is harder to protect an older information technology system than a newer one. Tech debt and end of life/end of service (EOL/EOS) systems are an enormous burden to the modern enterprise. As long as the accountants continue to see information technology and cyber security as cost centers, and not profitability enablers, the vulnerabilities introduced by tech debt and EOL/EOS information systems will be easily compromised by attackers.
The last factor is the significant shortage of knowledgeable and experienced cyber security professionals. Cyber security professionals are in short supply, and experienced, seasoned, well-trained, and competent ones are even more rare. Because of this, there is serious competition for experienced cyber security team members. You can’t protect your systems unless you have boots on the ground, or at least the butts in the chairs, who can perform the roles of security analysts, network security engineer, or security operations officer.
Christopher: Not knowing what percentage of this loss is indemnified through insurance coverage, and irrespective of the claimability of the loss, the lost capital is going somewhere. Do we know where? This is a lot of war power for terrorists, criminal and hostile nation states.
Mark: We do know where; at least we should have some idea. The money is going to those intelligence agencies, terrorist organizations, and organized criminal enterprises that are successful in their extortionate and fraudulent efforts.
Earlier this year it was widely reported that North Korea, as a nation state, had gotten into the game and was using financially motivated cyber-crime to fund the government of North Korea, including its nuclear weapon and ballistic missile research. So, we absolutely know where that is going. We also know about the significant criminal operations of both REvil and DarkSide, and their successor organizations in Eastern Europe.
There are those who believe REvil and DarkSide may have been related, but both have collected tens of millions in extortionate payments from their victims in the west. These ill-gained profits line the pockets of the criminals themselves, of course. But they also go into the development of additional cyber-attack capabilities, as well as bribes to the Russian government for “protection”, to insulate the criminal enterprises from investigation by the FSB.
Perhaps even more concerning are the proceeds of the criminal activity going to Islamic Terrorist Organizations.
Christopher: From your perspective, what is the cost benefit of putting in state-of-the-art technology now versus waiting until later? For example, if a company were to call you in and ask for a plan to fix it now or fix it later, what’s the risk/reward scenario look like?
Mark: What enterprises need to understand is that cyber-attacks by criminal organizations are inevitable and pervasive; essentially, they are ubiquitous.
In many industry verticals, cyber-attacks from nation-state actors are also inevitable. Because of this, if you don’t have state-of-the-art security technology, processes, and qualified, competent personnel, you are already behind, and at a greater level of risk. Many in the corporate world are familiar with the concept of “Tech Debt”.
Originally applied to the improvement cost of poorly written code in applications, it is now more broadly applied to obsolete, post end-of-life/end-of-service (EOL/EOS) information technology. I want to introduce the concept of “Cyber Security Debt”.
This is an inevitable cost.
You can pay now to ensure information assurance by implementing technology, training your employees, developing and implementing cyber security policies, and developing an information security management program. Or you can pay later by paying a Ransomware demand, paying an incident response firm to contain and eradicate the attack, perhaps paying a large regulatory fine, losing customers, and then doing all of the things listed above to ensure information assurance.
At one point, probably sometime in the past four to five years, risk could be transferred via compromise or breach insurance, and this could buy the enterprise some time. But now, because of the exponential increase in the number and cost of Ransomware attacks, the cost of breach insurance itself has skyrocketed.
The cyber security environment probably reached an inflection point in the last one to two years. It is now absolutely imperative that companies begin to address their vulnerabilities, patching, and cyber-attack surface as soon as possible. With the exploding costs of attacks and the escalating cost of breach insurance, the ROI is now firmly on the side of developing an information assurance program that addresses each of the critical components that I previously listed.
Christopher: Does short-termism play into investing in cyber solutions? It seems that protection is a cost of doing business and hope is certainly not a strategy. How do you build consensus to that important but costly investment into smart security?
Mark: No, it doesn’t. Short-termism may be a significant part of the root of the problem. The problem is that most people, including executives and parts of corporate boards of directors, don’t understand the math of risk.
This isn’t the Hunger Games; the odds are not in your favor.
As previously stated, everyone with data and a need for either confidentiality or integrity of the information in their enterprise is at risk. Banks, financial services, utilities, and even private, tax exempt, nonprofits are at risk because of their need to have full assurance of their information’s confidentiality, integrity, and availability. So, unless you don’t use either data, computers, or the Internet, you are at risk.
The “short-termers” roll the dice.
If you have a 20% chance in any given year of suffering an attack, that calculates to a 5.43% chance in a quarter. Because of this, the “short-termer” attitude becomes: let’s go for quarterly profits, and kick the can down the road. But over a four period of time, that 20% each year becomes a 67.2% probability of an attack. And once a company has been successfully attacked, and they pay the ransom, then now the bad guys know that they are both technically vulnerable and willing to pay a ransom. In this situation, the initial victim becomes targeted more frequently.
You build consensus by doing the hard work of enterprise risk management.
First, as a corporation you determine to execute an enterprise risk management strategy. All of the corporate stakeholders must be involved in this process. Determine what your risks are, and then identify how much those risks and threats will cost your enterprise. This must include Executive Stakeholder support, based on the identified risks. The Board of Directors, the CEO, the Chief Operations Officer, the Chief Compliance Officer, and the Chief Finance Officer must all be involved. If an enterprise can’t get that far, any further efforts will be ad hoc and probably will only be minimally successful.
Once the executive stakeholders understand and quantify the risk, then they can make intelligent decisions regarding the cost of doing business in the current hostile cyber-threat environment. This involves collection of risk data, evaluating the internal value of both information assets and those physical assets operated by information systems, and then assessing the cost of the countermeasures needed to protect the information, associated information systems, and physical processes controlled by those information systems.
This is how consensus is built; everything needs to be reduced to value, risk, and probabilities. And then ROI becomes readily apparent.
Christopher: What’s your best advice to boards and management in today’s cyber insecure environment?
Mark: I like to break this down into eight steps:
Determine an enterprise Risk Management Strategy, i.e. know what your risks are, and how much those risks and threats will cost your enterprise.
Get Executive Stakeholder support, based on the identified risks. Get it from the CEO, the COO, the CCO, and the CFO.
Determine your best, most appropriate, technical cybersecurity framework, irrespective of your regulatory compliance framework. Regulatory compliance is not equal to effective cybersecurity. Build your cybersecurity program around the technical framework that is best for your business environment. There are several robust technical frameworks: NIST Cybersecurity Framework (CSF), Center for Internet Security (CIS) Top 20 Critical Security Controls, ISO 27001/2, or even NIST SP 800 53R5.
Identify, document, and continuously maintain an accurate inventory of devices, applications, cloud assets (SaaS, IaaS, PaaS), user accounts, vendors, etc. Know what is in your environment, so you know who and what should be in your environment, and who shouldn’t be in your environment. This is called Asset Management.
Effectively provision and manage access to your environment across the entire entitlements’ spectrum. Know who your administrative users are, who your elevated privileged users are, who your general users are, and who your third-party vendors with access to your environment are. Provide users with only enough access to do their jobs.
Reduce your attack surface by managing your environment. Implement effective change management, configuration management, and patch management to reduce misconfiguration errors. Reduce end of life and end of service (EOL/EOS) vulnerabilities for necessary applications by implementing compensating controls. Reduce overall vulnerabilities by implementing an effective vulnerability management program that includes periodic scanning, tracking, and escalation of externally facing or critical/high vulnerabilities.
Maximize your organization’s visibility of your technical operating environment through effective detection tools. These should include Network Detection and Response (NDR), Endpoint Detection and Response (EDR), and Security Information and Event Management (SIEM).
Plan for, prepare for, and train for critical incidents. This includes disaster recovery, incident response, and ensuring that your company has frequent backups that are usable, accurate, and safely maintained.
Christopher: Mark, thank you for this insightful look into what companies need to do to stay on top of their cyber risks. I look forward to sharing the day at our Cyber Risk Governance conference, running in New York, March 3, 2022. Hope our readers will join us as well.