Back
Q&A: Asset Management, Vulnerability Management, and Authentication are Changing the Game for this CISO
The number of security controls and activities any given cybersecurity leader manages is continuously evolving. For instance, this year, the Global InfoSec Awards features 212 different categories – from penetration testing to insider threat detection to breach and attack simulation. That’s 212 different technologies or security activities CISOs could be implementing dependent on their needs.
This highlights the importance of taking a step back to recognize the activities making the greatest difference in your security program. AF Group CISO Seth Edgar does just that during our Agent of Influence podcast interview. For Seth, asset management, vulnerability management, and authentication topped his list of cybersecurity best practices.
Continue reading to learn how these security activities are changing the game for Seth and for highlights from our discussion around his unconventional career path, lessons learned from reverse engineering, and cyberattack trends in the insurance space. For more, listen to the full episode on the NetSPI website, or wherever you listen to podcasts.
What have you learned from your experience as a middle school teacher that you apply to your role as a CISO?
Middle school is an area of your life that’s memorable for a lot of reasons. As a teacher, delivering materials to students in a manner they can consume is an ever-changing battle. Not only is there the struggle to remain interesting and relevant to a roomful of 12-year-olds, but also understanding how to communicate a complex subject or introduce a new, complex theme. I couldn’t stop at relaying the information. “I’ve put it out there, now it’s on you to consume,” was not an effective strategy. I had to make sure that the concepts were reinforced and delivered in a manner they could grasp because my goal was for them to be successful.
As CISO, I’m doing the exact same thing. Most of my job is education and a portion of my job is security, budget, and people management. I’m teaching people why security is important. What is higher or lower risk. I’m talking to executives and communicating the ROI of security. In doing so, I have to gauge on the fly whether they’re tracking with what I’m saying, or whether we’re going to need to revisit the topic from a different angle.
I get exposure to upper-tier leadership within my organization, but those interactions are limited. They have to be because they’re scheduled. It’s not like a classroom where I’m with the students every single day. If we missed it today, we’ll get it tomorrow – same time, same place. With business leaders I’ve got to get it right the first time.
Just like in a classroom, you have to get to know the students before you can truly teach them. And at the end of the day, you must make your material relevant and usable for them, make it understandable and draw upon their background. It must also be presented in a manner that makes sense, without oversimplification. All those techniques are exactly what I’m doing right now as a CISO, just with a different body of knowledge. Finding that the balance between simplification and understanding is a challenge, but it’s something that I can draw upon from my prior experience and from my undergraduate education to help me communicate complex security topics clearly to my leadership team.
Are there components of what you learned from reverse engineering that you apply in practice today?
I am a big fan of learning by doing. It’s way different completing a sample problem than it is touching real software. It is helpful to have a deep technical background to be able to have conversations with technical folks and establish credibility. However, the more important lesson that I pulled from those early days doing reverse engineering is that it’s okay to have trial and error. It’s okay to make mistakes and learn from them.
As a leader, I don’t punish mistakes, we learn from them. If that mistake is repetitive, I’m likely going to move you away from doing that that role within our organization. But mistakes are part of the learning process. They’re important. We too often think, ‘I’m not going to do anything because if I screw it up, I’m going to get in trouble.’ That’s not how we learn, that’s not the way that systems are developed, and it’s certainly not the way you have a breakthrough. So, the most important lesson I learned from reverse engineering was learning how to make a mistake, recover, and use it to inform the next steps going forward.
There’s been a lot of news recently about the insurance space, such as the CNA Financial ransomware attack. Are there certain attack trends that you’re paying close attention to today?
We are watching a lot right now. Ransomware is a high risk and a top-of-mind issue, not only from a perspective of ransomware prevention, but also from an insurance perspective. We don’t touch this area much in my role, but cybersecurity insurers are starting to realize that their model may need to change because the risk profile has ramped up significantly. If you look at how ransomware has grown, we have seen this crazy upward trend in financial impact and sophistication – nobody wants to get hit. At the same time, if it is not going to happen to you, it is very likely will happen to a third- or a fourth- or a fifth-party provider. That’s where supply chain security issues come into play.
With COVID-19, many went from a fully on premise workforce to a fully remote workforce almost overnight. There are inherent network risks and security models that bank on a perimeter-centric security. There’s a large knowledge exchange that had to happen with groups of people who always report into a building that have maybe never used a VPN or had to do any kind of multifactor authentication before, whereas other people have been doing it for a decade or more. There’s going to be that subset of your users that this is the first rodeo they’ve ever had with remote workforce security protocols.
We’ve seen interesting scams arise out of this. Wire fraud transfer scams have always been existent but are taking advantage of companies that have changed business models. Attackers try and monetize whatever it is they get their hands on. If I’m an attacker, if I compromise an email account, I want to turn that into some sort of monetization as quickly as possible.
There is one clever attack that I’ve heard described among my peers. Let’s say I compromise a mailbox and immediately search for the word “invoice” looking for unpaid invoices. I find out who the sender of that invoice is and create a look alike domain for that sender. Now I spoof that exact user that sent the invoice in the first place and say, “This invoice is overdue and needs to be paid.” It creates that sense of urgency just like a normal attack would and then, you get them to change the wire transfer number. Now they’re stuck in a position where they’re trying to describe a decently complex attack to probably an under resourced small- to medium-sized business.
Many organizations don’t have the capability to view and understand how the user got into their environment and it becomes a game of finger pointing. It’s an awkward and difficult situation to be in. This brings up the importance of validating senders and sources. A positive business best practice in this situation would be to reach out and validate the information with a verified contact.
What are the most effective security activities you’re implementing today?
The most effective security activities that are changing the game for me have revolved around strong asset management, patching, and vulnerability management practices.
Beyond that, having strong authentication is equally critical. Not only multifactor, but checking system state, user agent strings, consistent source IP, and similar practices. I can know, with relatively simple rule set, whether a log in is attempted with a new IP, device, or if it is a new source for this user’s authentication, and act accordingly. We’ve seen some incredible progress, just not only in our own development or tooling, but leveraging products we already have available. They’re not perfect, none of them are airtight. But it gives us a certain probability or a reasonable level of assurance that this user is who they claim to be – or not.
As mentioned earlier, moving your workforce to remote is a hard problem to solve in areas like vulnerability remediation and patch management. Getting software updated, especially if it was historically on-premise, is a major shift. If you’re working with an incomplete asset inventory right out of the gate, you have no indication what your success ratio is. This is an age-old problem that organizations still struggle with today. Whether you have good asset management can tell you whether your security program is successful.
The bright side? Vulnerability management and asset management are areas that can be improved and understanding your attack surface is a good first step. The Print Nightmare vulnerability is a great example of this. Once alerted, having a good understanding of the devices that need to get print drivers locked down on and what devices you need to make changes to rapidly reduce your exposure proved vital in that situation.
