Thom Langford: CISOs, Complexity, Containment (and other C-words)

Welcome folks. Thank you for having me. CISO's complexity and containment and other sea words. There will be plenty of sea words in there for you to look for. And guess there are no prizes. I'm afraid. That's just the way these things are, but you will have my eternal gratitude for paying attention for at least the next 17 minutes or so.

So let's, let's start from the beginning. Shall we, as soon as I can change slides that is there we go. Let's start from the beginning. Protection is no longer enough. We know this right, you know, protection, antivirus protection, legacy, antivirus. It was table stakes and has been for years and should continue to be so however that the ability of us to just protect our endpoints and our servers, et cetera, is, is never enough. We need to be stopping attackers before they start knocking on the door. As it were.

We really need to ensure that we have this detection capability, the ability to see the attacks before they're happening, because we're seeing getting certain telemetry that activities are happening, et cetera. And we need to be able to respond to them as well. We need to be able to do something about the attack that we are detecting is in progress, not after it has happened. And not only when it's an attack that we recognize from before. And the reasons for this are, you know, fairly commonplace.

If we were to go back to 2017, the days of WannaCry and not picture, you know, not picture it was, you know, as the result of an attack on a Ukrainian accounting package, the, the malware was sent out as part of the updates. It hung around and then it, it attacked. And it crippled companies all over the world. There was probably a targeted attack, but there was so much collateral damage. It was hard to tell many, many international companies were taken out of action for a long period of time, many, many weeks at a time.

And that's, those are weeks where business operations are not normal and that's going to cause issues. Then of course, we had the sunburst attack. Sunburst had actually the malware had infiltrated into this particular large vendor that that was used to supplying government agencies, federal agencies, large enterprises. And it was around about December last year after the updates that had been sent out, I think over the summer of last year had been applied any system of theirs that had had this particular patch applied. They were vulnerable to this, this sunburst attack.

And so, as you can imagine, hundreds and hundreds, probably thousands of companies. In fact, almost certainly thousands of companies around the world were affected by this and had ostensibly a back door opened on their systems. And as it turns out, the attackers were actually in place for upwards of nine months. That's nine months of gathering telemetry, looking around finding the weak spots and being able to embed themselves into the, into the update mechanism that allowed this malware to spread, you know? And so it comes as no surprise that many analysts around the world.

One, for instance, labeled stated that it took on average 197 days to ascertain whether you had been breached or not to put that into context, if you are breached at some time in September, early October, this year, chances are those attackers are in your system today. That's quite a sobering thought to say the least.

And the one thing that really, you know, upsets me as a professional here as a professional CISO is it, is it, it breaks and attacks the central tenants that we have of, of the advice that we give to our people and our organizations, namely run your security patches, make sure you're up to date, make sure that the latest security patches are in there so that you are not vulnerable. That the actual mechanism we used to improve our capabilities is being used against us. So the point where even just a few weeks ago, I was asked on a panel, should we as individuals stop applying these patches?

Obviously, of course not. You know, there is a much smaller risk of being attacked by malware that has made its way into the update package that you're applying versus not having it applied in the first place, but still it's, it's this, the insidious of these kinds of malware and attacks that are there are causing us real problems. And so very own KA Cole said back in 2020, December, 2020, in fact, in a report on endpoint protection that protection from known threats alone is no longer a feasible strategy, not a no longer a desirable strategy or is, should be considered an optional strategy.

It's simply not feasible. You cannot have legacy AV, you cannot have signature based protection. The only protects against things it knows about in advance on your endpoints and that this new class of endpoint detection and response products that detect and investigates suspicious activities is what's come about as a, as a result of this. And that's why protect is no longer enough for us today. So let's take a slight segue.

Now let's look at the life of the CISO, you know, back when I was a young whipper snapper of a CISO back when I even had hair even, and didn't have to wear glasses well, life as a CISO was nice and easy. Really. You had to worry about three, possibly four things, the confidentiality, the integrity, and the availability of your data for the patents out there, I've thrown in safety for anybody who has to deal with industrial control systems, etcetera. But really the CIA triangle is the one we know and love.

And yet, now we are in this situation where we are littered littered with a literally of attacks and types of attacks. Yes, of course, they're, they're, they're all mechanisms of affecting the confidentiality, integrity and availability, but that's such a broad range.

I mean, who would've thought that resource abuse, cyber terrorism, you know, 10, 15 years ago, it was almost unheard of SPRs, maybe coin miners, malware hacking a bunch of highly motivated attackers wanting to get into your environment in order to leverage all of your data against you, or even just to quite simply steal your data.

And if that's not bad enough activism, you know, this has come about a lot in the last 10 years, but it, you know, dramatically so more so recently, you know, if, if financial gain was not a was not a big enough motivator, then what about moral and ethical guidelines as a motivator, people who feel that they are doing the right thing for the people and the planet itself by attacking you and making your private secrets public. This is an insane kind of environment that the CSO has to deal with. It's no surprise that the average CSO looks like this now, right?

They're, you know, lacking sleep. That's what CSO stands for now. Career is so over because it really is such a, a complex environment for a CSO to operate in. And then you throw in situations like COVID, or even just the mere fact that not only are being attacked, but you actually are breached. The attackers are inside your network. This is obviously an unrelated photograph. It's a photograph I took on January 1st, this year, the first day of Brexit.

So business, as usual as you can see for all of us, people on the other side of the channel at the moment, but all joking aside, you know what happens when you actually are attacked? What's the sequence of events you go through.

Well, let's look at this from a three stage three stages of the incident. You can of course break it up into as many as you want, but we've got the pre-incident period, the blissful ignorance. This is the 197 days. You don't quite, you know, you don't know that anything is going to happen flick all the way to the other side. You've then got the post incident. I say plenty of time in there. That's not quite true. What's really the case here is that the crucial period of time is over. You can mop up, you can address things. You need to make sure that your fixes are in place.

There's no doubt about that. The NCSE recently published a blog that didn't name, thankfully, a, a UK based company that paid a ransom of a, roughly 6 million pounds to ransom a ransomware gang, got their data back. Fantastic. Two weeks later hit by exactly the same ransomware and exactly the same gang in exactly the same way, because they hadn't learned anything and moved on and dealt with it. I have heard that actually, the gang has now assigned them a technical support manager, as well as a sales manager so that, you know, to help improve the period of time that it takes for them to pay.

However, let's talk about the Perry incident, the going wrong and trying to fix it part. This is the part of the instant, which is when your business as usual doesn't exist. It's the part of the incident where you're trying to fix things as quickly as possible.

Your, your time is not your own. You're being called upon sort of variety of mechanisms and a variety of people to address it. And you go through this sequence of events at the bottom.

You, you know, you detect it, you respond, your systems were even automatically respond. In some cases, there's an alert. You identify it, you investigate it, you respond, you contain it and verify the containment. And then you mark it as we are done much of this nowadays, certainly with the, with your normal and average security operation center, your average sock, this is all manually driven.

It's driven by a huge amount of telemetry that's gathered and what you have as a result of these telemetry, which has been gathered millions and millions of, of, of events of some description is you get a very, very low signal to noise ratio. And so you are operating at human speed versus machine speed. You are trying to address, you are trying to beat the beats, the malwares on your system by under-resourced overworked, human beings, who are a lot slower than systems.

And this becomes very apparent because when you look at, say again, the Institute saying 69 days on average to contain an instant that's over two months when your business is not operating, normally when you are not able to pay your vendors, when you're not able to possibly even pay your staff, when you're able to produce your widgets or whatever, maybe things are getting a little better. Mandiant in 2020 said it takes 56 days to contain an incident.

So in two years, either the meantime to recover has gone down from just over two months to just under, or we're looking at a statistical rounding error. I think I know what my money is on. So there are six key aspects that we should look for in how to improve our sock, how to improve our response and to use that machine capability, that machine speed in order to address these issues before they start and allow us to do our business first off is we need to implement automation across our socks machine speed, over human speed. As we said, reduce that workload, reduce that level of, oh, sorry.

Increase that level of signal to noise ratio, minimize the time to contain the vast majority of those instance. Think the 80 20 rule, for instance, we then need to make sure that we have the, the systems are able to operate with autonomy. They can detect without any kind of dependencies on the endpoint without prior knowledge. So zero day threats are not you. What that means is you're detecting them quicker.

There's less dwell time before detection and as much ransomware, for instance, as one example, what they do nowadays is of course, they spread as far and as wide as possible at first, before activated, because that's how they get maximum damage and therefore maximum likelihood of being paid. You need the ability for your systems to correlate. So you are going to be reducing your Analyst workload to rather than presenting them with a thousand events that are happening, network events or, or endpoint events that are happening on your network.

You're presenting them with 10 work stations that have been affected by the same malware. That workload is immediately down downgraded a lot. It allows that actionability of the detection and the containment to improve really quite dramatically, fourthly end to end integrated processes.

The, the fact that you can see across your entire life cycle of what has happened, allows you to track every single step that the malware or the attacker has made, and therefore learn from that and improve your automated response capability in the future, as well as allow you to roll back as a result, if you're tracking every change that's made, you can also then reverse those changes as well.

But ultimately one platform, we all know what it's like work sitting at our desks, working on outlook and then words, and then web browser, and then slack, and then zoom or Skype or teams or whatever that context switching is, you know, reduces your ability to operate efficiently so much, and nothing could be truer than this. In the case of an incident, you've not only gotta deal with the endpoints, you've gotta deal with the firewall. You've gotta deal with device controls. You've gotta deal with network isolation, et cetera.

If you have to wait for, you know, Dave or helmet, the, the firewall or network admin to action or change, and there on holiday, that's going to slow things down quite dramatically, a system that allows you to do this all from a single platform in a way that meets your procedural guidelines. And in a way that is, is auditable and evidence is able to provide evidence of an activity is absolutely vital again. And finally, the thing that I'm most passionate about is the sock empowerment side. Anybody who's been to a so knows that they're just dark rooms filled with monitors.

People who work in there for 12 hour days, if they're, you know, large screens everywhere. And if they're unlucky enough to work in a certain environment, there's a big glass wall behind them so that everybody walking past can gorg in on them. It's not a great environment to work in. And when you add to that, that noise signal to noise ratio being incredibly low it's, it's dull, it's difficult. It's not interesting and is not a place to learn.

If you can actually hire your so Analyst to do the job they were hired to do not filter through lots and lots of Excel spreadsheets or lots and lots of data, but actually address the issues. You can empower them. They are able to analyze, use the human brain, which is, you know, let's face it still incredibly useful these days to actually do the job and respond and contain much, much faster.

So that's, you know, that's our recipe that we think is, is the way to go when it comes to empowering your stock, reducing complexity for your CSO, and as a result, reducing your time to containment. Thank you very much for your time. I believe I'm just, just about on the clock. And if you do have any questions, I'd be very happy to answer them. Thank you.