Cracking the code in the boardroom

November 1, 2021 TH Author Trend Micro CISO : Article, Trend Micro CISO : Cloud, Trend Micro CISO : Digital Transformation, Trend Micro CISO : Risk Management

Perhaps one of the biggest challenges you face today is getting everyone in your organization, from the developers to the board, on the same page. How can you tackle this complex challenge? Scott Augenbaum, former FBI special agent and Ed Cabrera, chief cybersecurity officer at Trend Micro, provide insights into changing the company culture and winning over the boardroom.

Changing the company culture

The best security plan in the world can fall short if the entire organization doesn’t buy into it. How can you implement a company-wide culture change? First, identify the key elements. Every department poses a different security risk—for example, administrative departments are often targeted with BEC and phishing scams, while DevOps teams need to focus on proper configurations. After you’ve identified the security gaps across the organization, communicate the importance of good hygiene in specific use cases.

It’s like a snowball rolling down a hill. Once each department has a better understanding of their role in the overall security of the enterprise, they will implement better practices. Admin departments will pay closer attention to the signs of a phishing scam and forward the email to in-house threat researchers and IT teams, and DevOps will use frameworks like CIS Critical Security Controls to incorporate earlier detection in their apps.

Cracking the code in the boardroom

While you understand the grave risks ransomware and other cyberattacks pose, the boardroom seems more focused on business decisions. To make your message stick, Cabrera suggests aligning your message with their business objectives. For example, the CISO for the American Cancer Society said that by stopping an attack that could cost the company X dollars, the board would be able to use that saved money to build more homes for cancer patients, which was their current goal. A win-win scenario that the board can get behind and aligns with the security goals of the security team.

Transcript

Scott: Hello, everybody. Good to see everyone. Ed, good to see you. You’re looking rather corporate spiffy-like today.

Ed: (Laughs) Yes, yes. Nothing like good Zoom to look corporate. Um, welcome everybody. I apologize in advance for my partner here, Scott. My (laughs). Nah, I’m just kidding.

Mm, Scott and I do a lot of these things. Um, some of you might have joined some previous ones. But what we always like to do and, and I’ll turn it over to Scott, is actually just have this conversation, almost like a fireside chat.

Jon did a great presentation and provided us with some of the predictions and what we’re seeing internally. But you know, what we do and how do we that is similar to our threat intelligence reporting, where we take everything internally, identify threats and trends and vulnerabilities, add what we’re seeing from the industry perspective and from a technology perspective.

So, Scott, why don’t you take us to our fireside chat?

Scott: Yeah, sure. You know there’s a little bit of rivalry between the Secret Service-

Ed: (laughs)

Scott: And the FBI over years. Ed’s a little resentful-

Ed: Oh (laughs)

Scott: Towards me because the first of the month I get a really nice pension check coming in.

Ed: Wha- ah.

Scott: You know I sit back and do that. But Ed and I have done about a dozen of these. If you ever listen to the frick and frack radio show with-

Ed: (Laughs)

Scott: Our Car Guys that kinda argue back and forth, it’s Ed and I. And we have a good time because what we don’t like to do is have a really boring conversation.

I really enjoyed Jon’s talk. And, and there’s a lot of things that we can learn. When we look to the future, Ed, we gotta look at the past. We’re talking about phishing. And phishing campaigns going back to today with COVID-19.

But I remember back to our days in Washington D.C. In 2005, the Hurricane Katrina Task Force, which is the first time where really, it took a government effort to combat phishing because everyone’s getting taken advantage of.

You know, another thing that we’re talking about is ransomware. And how that’s developed and morphed. And the problem with a couple of these topics is, it’s the same stuff that we’re always talking about.

And unless we can really go back to the past, take what we’re learning, and apply it to what we see today, we’re still gonna continue the same things.

Okay FBI Secret Service 2015 puts out an unbelievable report on ransomware prevention. And I’m in Nashville, Tennessee, Silicon Valley of healthcare. I retired from the FBI three years ago, had a 30 year career.

Spent about 25 years handling information security incidents, led by our cyber task force, which was with the Secret Service. And when this information came out, Ed, I was going crazy because here we are in Nashville, got a ton of publicly traded companies.

I’m trying to knock on people’s doors to explain to them, hey, ransomware. I got this great document that’s from the FBI, the Secret Service, Department of Homeland Security. Follow these steps and you can reduce your chances of becoming the next victim.

And here we are. It’s 2021. And you know, when you look at all the great stuff that’s coming out, we’re still going back to the same stuff that we did in 2015, when we start talking about ransomware. And that’s an issue that Ed and I talk about all the time.

You know, why is it so hard to get people to wrap their heads around it? Not my CISO friends here. You guys know what to do. But how do we convince corporate culture?

Every time there’s a watershed moment, it’s not a watershed moment. So what’s your thoughts on that, Ed?

Ed: No, I think you, you sort of captured a little bit and Jon actually alluded to it, as well. It’s, everything we’re seeing from ransomware and attacks, obviously, what we said back in 2015/16.

And from a Trend Micro perspective, that’s when we really saw this shift from locker variant type ransomwares into the crypto variant ransomwares that we see today.

And there was a huge spike in attacks and creation of ransomware families. You know, since then it’s been decreasing. But the impact of these attacks have gone up.

So it’s almost been an inverse reaction. And so a lot of the companies, I think to your point, you’re right. A lot of things change. But a lot of things stay the same.

And I think companies are still struggling with some of the basics for sure. But I think the one thing that we see, to make matters worse and more complicated, is the fact that they’ve been able to sort of automate and create this crime as a service with ransomware as a service. Providers are able to automate and extend their reach and capability and, obviously make money.

So, from a ransomware perspective, I mean, I think the challenges is with the companies and organizations is realizing that this is not your traditional cyber threat or attack that similar to a data breach, which is really the biggest threat there is, obviously financial and fraud aspect to it. But also reputation risk. Here, operational risk than from a ransomware perspective. And the reason why it’s gonna stay is, is ’cause it works. It’s, it’s an incredibly impactful.

And what they’ve done over the last even from… Obviously from ’15 to ’16 but since even ’16 and to where we see today is they increased their capability to have a deeper impact, in a more immediate impact going after backups at the same time.

And going after production data and databases and so forth. But, also going deeper into the core networks of critical networks within, you know, the victims. And so it’s one of these things it’s… (Laughs) I always… I’m a big Formula One fan. And Formula One fans know this very well. It’s still and… And they’re getting to this parity thing here coming up.

But it’s he or she who has the biggest bank account probably has the most successful racing team. Right? The more money you can throw into it, the more successful you are. And, unfortunately, this is what we’re seeing with these ransomwares as a service, I say companies, these sort of mini syndicates, is they’re re-investing in their capabilities. And so, the more technology… Wherever you pivot, they pivot. And whatever automations and capabilities that we sort of leverage to defend our networks but also for efficiencies and productivity in our networks. They’re doing the same ones on the cybercrime side.

So, from a ransomware perspective as Jon and, and as Scott has said is, is like one of areas that’s gonna be here to stay.

And, you’ll see different reporting. And we were discussing internally that sometimes you’ll see some notions of decreasing on the volume and attacks. And I think overall we’re seeing that.

But I think some of these numbers get skewed because we do have Wannacry attacks. And Jon and I were just talking about earlier today and yesterday. That are still permeating and creating problems but not being very successful. It’s because the, you know, EternalBlue exploit and the more like function of a WannaCry, it’s gonna continue to be out there. And be a noise.

But these other families are becoming much more capable and more impactful on these crews.

Ed: You know what? I did see a question, real quick, Scott. Let me jump… I saw a lot of questions regarding, and I thought it’s time, but we can pivot from there, you tell me.

Question around how pervasive would ransomware be if there were no cryptocurrencies? The only thing I wanted to say there, and I actually said it in on internal thread (laughs) two days ago is the fact that, and we’re seeing it now, as the US is looking to crack down. Know your customer through BSA’s anti-money laundering type of tools to go after these exchanges that make it easier for these criminals to monetize these attacks.

Cryptocurrency just happens to be the most recent digital currency or pseudo anonymous digital currency that they’ve been using. And the reason why they would actually want more cryptocurrency and Bitcoin is because of the values.

Specifically, Bitcoin, because of more of it being like an asset class as opposed to a currency. But, before ransomware really started to take off, the web monies of the world, the Liberty Reserve before it was taken down, there’s digital currencies that are pseudo anonymous and/or just more beneficial for these cybercriminal groups to utilize to exchange and pay each other.

It’s whether the cryptocurrencies are there or not, I believe, my opinion, that you would still have obviously, digital extortion. They would just be by another means.

Scott: Ronnie comes up with a good point. You know, the chances of the bad guys getting caught and prosecuted is very challenging because the bad guys are located overseas.

I asked a question to chat ransomware. Do we pay or do we not pay? And don’t tell me it’s a business decision. Okay? I’d like to hear from some of the audience over here because that’s the number one question I get all the time.

Do we pay? Do we not pay? So Ed, me and you can chat amongst ourselves until somebody decides to respond. Mark said it’s a business decision. But I want to hear from you guys because I do have my own opinions about this.

Because the phone would ring all the time. People would call up the FBI. They’d call up the Secret Service. And they would say, “Hey, we got hit with ransomware.” Okay.

And I used to say, “Hey, look. As long as you got a good backup you’re going to be okay.” And then there would be a couple of seconds of pause. And then you knew that either they didn’t test their backup. And today, according to most of our retired buddies who are having a great time in intrusion response, the bad guys are targeting the backups first.

And they’re stealing your information. And that’s kinda what Jon talked about, too. What we’re seeing with the new form of ransomware. So, think about this.
You get hit with ransomware. Your backups are encrypted. They already stole your stuff. They’re extorting you. And like the great poet, Mike Tyson, said, “A plan is only as good as it is until you get punched in the mouth.”

So, my whole thing is we spend so much time focusing on reaction. And we’re not spending enough time on prevention. And that’s where if we would’ve had these predictions from three years ago, you know what my prediction was?

Get as much cyber liability insurance as you could in 2017 because the underwriters had no idea how to underwrite. Today, how expensive is it, Ed, to… How expensive is it ’cause people would say, “Hey, my strategy is insurance.”

Ed: Yeah. I think going back to what Mark also put in the chat and what you’ve been saying, I think two-fold. One, obviously, it always depends. Right?
And then often times what we’re seeing it’s this business decision that organizations are looking at. However, now with new impending changes, whether it be laws and/or regulations, it might not be one of the options available to companies and organizations.

Now that’s definitely an arguable point to make. I have my opinion like Scott has, is that, I wouldn’t want to eliminate any options that a company or organization has to be able to fend off.

Because there is an assumption that only companies that do no security get actually hit. And that’s wrong. It may nothing. There is this, this pendulum and this range. Right?

Where you can have been doing security that you believed is meeting the needs that you have. And you can still have an unlucky or bad day.
So, I think the insurance piece or, part of the discussion is unique. Right? So it’s more and more becoming this catalyst for organizations to be able to mitigate risk on the cyber side.

My only challenge there or problem is I’m reading in this, is that there is so many companies or the attacks that are increasing and the impact of those attacks are increasing in essence.

Companies and organizations may be taking that decision from a business decision perspective saying it’s gonna be cheaper if I pay. As opposed to not pay. That, in the end, I think, is gonna pose a big problem when it comes to exactly what you’re talking about, Scott.

The premiums are gonna go up. And/or similar to, like (laughs), I live in Florida. And to get insurance, and flood insurance, homeowner’s insurance. That’s a problem.

I mean, there was a time when the insurance companies flood the state. And so they had to create other of vehicles where folks can actually try to insure or come up with some way to mitigate hurricane damage.

And… It could easily happen with cyber. It could be to the extent that if so many people are choosing the pay options some insurance companies might just not have the ability to cover all these payments and go out of business.

Scott: Wow. And there’s a lot of debate. I know that the insurance companies are… But let’s focus on the prevention. I just sent to everyone a document from 2016, which is really interesting to go read through.

Some of the prevention techniques that were talking about before. Such as, if you don’t know what’s on your network how do you patch?

Okay. And if you’re allowing any type of authorized software. And Ed, where does a company start? As we talk about the core critical controls, in theory, it sounds really easy. But, with the shortage of workers that are out there, what would you recommend organizations do to start? ‘Cause that’s one of the questions.

Ed: I apologize. My Rhodesian Ridgeback (laughs) has been able to learn how to open my office door.

Scott: That’s all good. What, where does a company start, you know? Where do you… There’s so much fog that’s out there that people are overwhelmed. They don’t know what to do or where… What’s a good strategy?

Mark put it up here. The CIS 18, great, great thing.

Ed: Yeah, no. I think the strategy, for me, I’m a big framework first discussion. To me, framework first is, and I love the Cybersecurity Framework. But there’s others, obviously. And the CIS 18.

Scott: (Laughs). Hey, I’ll continue to talk while you get the dog under control (laughs) over there.

Ed: Thanks, all right. (Laughs)

Scott: I hear it. It sounds like out of the episode of Seinfeld where the… He’s fighting with the dog in the bathroom.

But, but as you were saying, the CIS 18 is a great place to start. But it’s really hard to implement. And it’s kind of a little difficult to map.

Ed: Yeah. And it’s one of these things. Frameworks like, “best practices” are always one of these aspirational sometimes for organizations. Right?

I mean if you step in, if you’re a CISO, and you step into an organization that has been growing exponentially and has been going through acquisitions. And they increase complexity of their networks.

And bringing all of this to bear. At the same time you’re dealing with dynamic threats, is not an easy task. I think it’s not the one thing I say, is to start with a framework.

But then you start… You know, next is your partners, right? So, it is your partners within your industries. But there’s also partners, such as Trend Micro, we don’t do professional services. But we’re able to help. Right?

We’re able to walk with our customers wherever they need it and be able to provide resources if we have it internally but also through our partners.

So I think that’s one of the first places to start. Because once you get the framework, once you get a good partner and good network, then you’re getting into this, okay, I need to assess.

I need to go from the ground up. What are the threats that I’m facing right now? And what are my vulnerabilities? What are the vulnerabilities systemic and technical that I need to address?

So, that’s what’s nice about this framework. And that’s what I like about the cybersecurity framework. Is that you’re able to then assess against the risk that you face.

So it’s a maturity model, as well, in that sense. So, if you’re in a sector that is not as high risk, and you are doing what you need to be doing to mitigate that risk level, then you should be at the level that you should be. Right?

But what most organizations when they do this type of assessment, then they realize, okay, I think it’s four categories. And you might be at a two. Or level two.

You want to get, and you need to be at four or three because you’re in the financial sector or government. So, always, those are the first suggestions that I have is for folks that have really started to do this and need to do, really do a bottom-up assessment of where they’re at and what they need to do.

Scott: Listen, the cybercriminals do not care who you are. They don’t care if you’re a non-profit organization. They don’t care if you’re a senior citizen or a Fortune 500 company.

As long as you have access to what they want, they’re gonna go after you. And as we start talking about things the cybercrime problem keeps going up. According to Cyber Security Ventures, in 2015 it was a three trillion dollar problem.

Today it’s a six trillion dollar problem. There’s a lot of people even debating that. What’s the difference if it’s a trillion dollar problem or a six trillion dollar problem? It’s still a lot to grasp.

It’s going up. We keep spending more money. But we’re not focusing on the most important things. We’re not focusing on the elements here.

E-mail has been the number one attack vector since 2005. How do we train our users? I got all of these… Companies are going, “Hey, this is great. We’re doing phishing tests. We just reduced our click rate from 50% down to 10%.”

I go, wow. That must make the CFO really happy. But you have 250,000 employees. So now you have 25,000 employees who will have clicked on that link. Are we doing things to prevent executables from running on our network?

Because no matter how good we are, no matter how much training we’re still gonna get an email from somebody we know or somebody we trust. Look at Colonial Pipeline. Let’s go back to basics here.

We had an account that wasn’t used in how long? Over a year. How are we keeping track of these things? This is why it’s so important that we have to focus on the hygiene.

Prevention is ideal. Detection is a must. But we can’t give up on prevention. And I think it was Mark, again, who said that you know, frameworks are easy. But changing the culture of the organization is hard.

And we’ve been trying to change it forever. But we still got to keep fighting the good fight.

Ed: Yeah. I’m looking at some comments here. David brought up culture. Right? Yeah. Frameworks are easy culture is hard.

I think that goes to the other ways that maybe the phased one dot two type of thing is. It’s the culture and how do you address that?

I think that’s a challenge. Right? From a CISO perspective, you have to, from the board room down to the server room. So you need to be able to communicate the risks that you’re seeing and being able to communicate the needs and the resources you’re looking for to be able to mitigate those risks.

Um, and one of the things that I’ve seen and it was one of our other events a couple of years ago. It was a panel discussion. And they were talking about how do you breach the board?

And how does the board come into play? I mean, obviously, the board more and more, because now they are becoming more personally liable as well when organizations are attacked.

Especially if the bell has been rung saying, hey, we’re in trouble and we need resources. And the board hasn’t responded or react in an appropriate manner.

But, the way to do that is the secret sauce. And with, on the panel there was this discussion about alignment. So, not just doing reporting in your typical, old school five years ago way of volumetric reporting.

In other words, we stopped a thousand attacks or ten thousand or this or that or the other. These volumetric type of statistics when you’re reporting to the board.

But better yet, aligning it to the actual mission and the objectives of the organization. Right? But if it’s a public organization, if it’s a non-profit, if it’s obviously for profit, how do you align what you’re doing within your organizational structure from a CISO perspective or working in that security team?

How are you telling that story? It’s all about telling the right story about how you’re aligning and how you’re making that mission and objectives achievable by what you’re doing within your team.

And in that panel it was great. It was the American Cancer Society. And talking about how they paid for homes, for temporary homes, or residences for those needing treatment and so forth.

And, and the way that CISO brought it up he was saying that he was able to say that him preventing this type of attack, which on average costs X, they are able to provide additional homes for cancer patients and their families and so forth.

So that alignment in the story is critical. And it’s a challenge. Healthcare. Going fighting for resources when they need to get a new MRI machine. Or this or that or the other.

And how do you tell that story on the healthcare side on why it’s critical for you to do your job and mitigate risks for that hospital or that company.

So I think a culture, big thing. And not an easy thing. But, definitely achievable.

Scott: You know, and maybe I mean I need to come to you to, for you to be my filter when I go out and I talk to clients-

Ed: (Laughs)

Scott: Because-

Ed: I don’t know if you want that.

Scott: I lost a training client because as I was talking to the C-Suite and the board, I told them that the biggest… If you’re gonna, if you don’t…

And this is why I said, if you do not have two factor authentication on your email and all of your remote access, all your cloud based accounts, you need to really evaluate what you’re doing.

Because no matter what you’re spending money on, it’s not gonna work. And they got really pissed off at me. And I was like, look, the truth kinda hurts. And even my friends in intrusion response don’t like me saying that because 85% of intrusion response work today is account compromise.

And that just kind of is the stuff that we have to get through and we have to be doing this at home. We have to be educating our boards and our C-Suites.

Now I know, Ed, me and you only have about another minute or two left. But I want to give you the last word. Where do we start?

That’s my big takeaway. If you’re not gonna do anything else, you have no budget get the two factor authentication turned on your Salesforce. If you’re gonna have a hard time with email, identify those platforms and make sure you’re doing it at home.

What, what would be your big takeaway for everybody here?

Ed: I mean I think you said it. You know, back to the basics is definitely a theme. But, to me, I think, as I was saying before, it’s that partnership piece.

I think the reason why cybercriminals are so successful, especially today coming out of these cybercriminal undergrounds, specifically Russian speaking cybercriminal undergrounds, is they’re able to scale trust.

They’re able to work with each other almost sight unseen. They’re operating off these pseudonyms and these reputations. The cyber cred attached to these pseudonyms.

And they’re able to trust each other to go into some very large you know, data breaches or ransomware attacks and this or that and the other. And that’s one thing that we don’t do well enough often.

So I think partnerships with law enforcement and ISACs and ISAOS partnerships with companies like us. I mean, I think it’s critical.

I’m always the believer that if we don’t have the answer, we’ll definitely find the answer for you. And connect you with the right people.

But I would say that was gracious for you to give me the last word ’cause that’s usually not the case. I just want everybody to know that. (Laughs)

Scott: I don’t know why are you so… Why are you so tough on me? I don’t understand.

Ed: I don’t understand.

Scott: After I saved you when your dog came through.

Ed: (Laughs)

Scott: Don’t worry about

Ed: (Laughs), aw.
(Music)

You May Also Like

How to Write a Cybersecurity Policy for Generative AI

Use PCI DSS Checklist with Automation

Zero Trust Adoption: Tips to Win Over Leadership