Organizations are under attack everywhere and data breaches cost millions. Coupled with a lack of trained security professionals, a shortage according to some researchers, there’s a perfect storm setting up. On this episode of The Disruptive Enterprise Podcast, host Gregory J. Turner, CRO/CIO at MTM Technologies, and guest Alejandro Lavie, Director of Strategy for Flexera, discuss cybersecurity basics and how to navigate a virtual arms race of cybersecurity vendors.
Many organizations don’t know how many devices they are protecting on their enterprises. That can lead to huge vulnerabilities if you lack visibility into your devices.
Who’s ready to talk about cybersecurity?
The Disruptive Enterprise – Cybersecurity: Creating a Stronger Enterprise Security Posture
By Gregory J. Turner, CRO/CIO for MTM Technologies, with Alejandro Lavie, Director of Strategy for Flexera
Gregory J. Turner: Welcome to our continuing podcast series at The Disruptive Enterprise. On our cybersecurity series, we are going to be discussing security challenges facing the enterprise, how to develop a stronger security posture for your organization, how to gain a higher confidence in your ongoing protection efforts, and ways to gain greater visibility and deeper understanding of all your operations and infrastructure to better prepare for all the threats encountered by your network.
Gregory J. Turner: Organizations are under attack everywhere. The average total cost of a data breach in 2016 was $3.62 million. According to a study by Ponemon Institute, that cost has only increased in the past few years. The problems are exacerbated by the lack of trained security professionals. According to a 2017 report by Frost & Sullivan, there’s actually a worldwide shortage of security professionals. This talent shortage combined with an increase in incidents has led to a generally weak security posture among many organizations. Successful attacks result in huge monetary losses, loss in intellectual property, comprised client information and confidence, and lower corporate valuations.
Gregory J. Turner: With me today on the podcast to help me add some perspective and guidance is Alejandro Lavie, Director of Strategy for Flexera. He has over 20 years of consulting and business development experience in four countries with an emphasis on cybersecurity, IT operations, IT service management, and process optimization. Flexera is an MTM partner, and like MTM, has been providing IT solutions and visionary leadership for over 30 years. Welcome to The Disruptive Enterprise, Alejandro.
Alejandro Lavie: Hey, Greg. Good morning. Thank you so much for having us.
Gregory J. Turner: No problem. Before we get too far ahead of ourselves, I think we should get back to the basics of cybersecurity. Alejandro, I think you would agree.
Alejandro Lavie: Yeah. Absolutely. I would agree because back to basics has been my motto for about 10 to 15 years since I’ve been heavily involved in the cybersecurity world, advising and consulting for many companies around the world. It is an understatement how important it is for us to rethink how we evaluate and do security and go back to basics as a foundational principle.
Gregory J. Turner: And that’s excellent. And I think, probably, it starts with education.
Alejandro Lavie: Well, yeah. Education is one of the elements, right? Going back to basics, I think, Greg, goes to a little bit more—maybe two things, user education, as you mentioned, and one of the most common in all the practices in the cybersecurity world, the vulnerability management. So, why do we say back to basics? Have you been to a cybersecurity event lately, Greg?
Gregory J. Turner: I haven’t this year but planning on it for next year.
Alejandro Lavie: Right. So, the last one you went, how many vendors were there in the vendor area?
Gregory J. Turner: Probably over a thousand, right?
Alejandro Lavie: Yeah, exactly. It’s really overwhelming. There are so many vendors out there. And when you walk their halls, everything sounds the same, AI, ML, predictive analytics, next generation this, next generation that. It’s super cool for us in the middle of this, right? But it’s overwhelming. And a lot of the organizations that go there and roam the halls of RSA and Black Hat, et cetera, they all seem excited about these technologies. But some of these things have become toys for tech users with deep pockets and deep budgets for security, because boards are allocating a lot of money for security principles. And hey, if I like technology, I find that cybersecurity, next-gen, predictive analytics, something to help me out, I’ll try to get it, right?
Gregory J. Turner: Right, right. It’s kind of almost an arms race in cybersecurity.
Alejandro Lavie: Yeah, and we always have to have a leg up compared to the adversary, right? So, the bad guys. But, Greg, when you go back to a board room or a meeting room in any organization of any size in any part of the world, and probably you have the same experience, if you ask, “Guys, how many devices do you have in this organization?” I don’t know about you, but I get a different answer from every person sitting on the table.
Gregory J. Turner: We have found today, Alejandro, that companies have five times to seven times the number of devices as they do end users. And so, in a typical organization of, say, a thousand end users, you might see something like 5,000 to 7,000 devices.
Alejandro Lavie: Right. And that sounds about right in my experience. But that’s a good guesstimate, right? But still, when you sit down at the boardroom with any of these organizations, they don’t know how many devices they really have. Everybody gives you a different answer because they have a limited version or perspective into their landscape of technology; let alone the more complex questions that, “Hey, how many end of service life versions are you actually running today in software and hardware? How many web servers that you have on Apache are unpatched?” Those more complex questions cannot be answered if you don’t have visibility into those devices.
Alejandro Lavie: So, that’s why we talk about going back to basics. There’s a lot of ML and AI and all that, but if we don’t know what’s out there, and the characteristics, and state of what’s out there, how can we go and do some advanced stuff? So, going back to basics for us has a lot of weight in terms of, first, running the first two or three steps of the CIS 20 controls, the niche recommendations. They’re already frame worked, right? The first things they tell you for security is know your hardware, know your software, manage your vulnerabilities. So, those are the kinds of things that I like to talk about when we say go back to basics. And I’m not saying it’s easy when you have an organization with more than a hundred users, you will have complexities. And let alone 10,000, 30,000 employees, right? But yeah, it’s part of the model that we have, and it’s true and the same for the decade over.
Gregory J. Turner: Yeah. It’s interesting too, and when you talked about the number of devices and really knowing your hardware and software environment, today, the patch management has gone crazy, right? Years ago, as a CIO, I used to manage a large organization IT, and we might have patches prescribed by the OEM once a quarter.
Alejandro Lavie: Once a quarter, wow. Yeah, I wish we could say that.
Gregory J. Turner: Today, it’s completely changed.
Alejandro Lavie: But it’s a zero-sum game, right? Because I used to work for a company that was dedicated for vulnerability management and patch management. Flexera acquired that company. And our research was really, really deep. So, I can tell you confidently that today, the vulnerability management aspect, it’s really overwhelming for most organizations. And the reason why it’s important, just to try to have an analogy here, I’m not good at analogies, but imagine you have a house, and you have the most sophisticated alarm system, the AI, ML looking for burglars and theft. But if you leave your door open, and if you put a post-it on the front door for anybody to access your garage, you’re not doing much.
Alejandro Lavie: Because of the sheer number of vulnerabilities out there, it’s pretty easy to guess how many, where, and what vulnerabilities you have. So, for anybody with a little bit of motivation to breach you, and hack you, and get information, access to your users and your data, it’s pretty easy. So, yeah, vulnerability management and patch management are very hot topics that I believe belong squarely into going back to basics just as the user education, right? For me, those are the two pillars, Greg, for sure.
Gregory J. Turner: Absolutely. I think our partner, Cisco, often says there are two kinds of organizations – those that have been breached and those that don’t know they have been breached. The losses from breaches are staggering. And some expert said the breach level index indicate that 5.1 million records are lost or stolen every day. And that equates to about 212,000 records every hour or 3,000 every minute.
Gregory J. Turner: That’s pretty amazing when you think about it, and it really starts with just having that understanding of your vulnerability. And even if you can look at your software life cycle management, making sure that you’re maintaining the compliance, and the right levels, and updates to your software that are running your business, I think, are important aspects that you can take to really address some of these record losses. I mean, it’s incredible what’s happening today.
Alejandro Lavie: Yeah, absolutely. And as we generate more and more information, and as we as citizens and end users of the digital space, as we volunteer information, the more data we are making available for anybody to access. So, nowadays, thinking that your social security number is a secret number, it’s ridiculous. Thinking that your credit card number is unique and only you know it, it’s naive. So, assuming that you have been breached more than one time is probably safe. And that’s where user education comes in.
Alejandro Lavie: For me, the people, the interface between the keyboard and the chair, that first line of defense is the weakest link. You probably saw the—I think it was last week on 60 Minutes, there’s a segment of a cybersecurity expert that was trying to inflict some damage in an organization using purely social engineering. I mean, social engineering sounds like complex, but it’s actually the easiest, the more cost-effective, fastest, sometimes, way to gain access into an organization, right? And partly because we are sharing everything about our lives online and there’s a lax security concept in people in general.
Alejandro Lavie: So, in this 60 Minutes segment, which by the way, there’s many of them around the web, if you search for them, but in this segment, this individual reached out to a couple of providers for this family that happened to be the family of a well-known executive in a financial institution. And they reached out to these families to understand, “I called the beauty parlor where the wife goes”, which is easy because you go on Facebook and you see it. And there, you can find information about where they live. And where they live, it leads you to being able to change passwords. And maiden names, security questions, and change passwords to have access to accounts that lead to more and more and more intrusion in these people’s lives.
Alejandro Lavie: And when you have a little bit more information about this person, it’s extremely easy to access more difficult resources to access in real life. So, if we, the organizations, put a bigger emphasis on user education and exposing these kinds of things, I think we have a leg up. And you probably seen some of the education programs that are run in different corporations where once a year, just for regulatory purposes, you put out a 30-minute webinar training for people to just say, “You passed”, that’s not enough. That’s not enough. We should be using gamification to make sure that everybody is constantly trained about how to respond, how to identify a possible spam, a possible phishing, how not to piggyback somebody into your offices, into your facilities.
Alejandro Lavie: Those things are easily forgotten because, let’s face it, security is inconvenient, two-factor authentications, don’t repeat your passwords, don’t open spam, don’t click on malicious links, don’t let people go behind you when you’re going into a secure building. Security is inconvenient. So, I think it’s very important for us to refresh that with everybody, every employee in every organization.
Gregory J. Turner: Yeah. I have an experience where going into a client of mine that was a highly secured organization, world-class IT operations, world-class business operations, and I walk into their offices, and we’re solving a business problem and challenge, and I knocked over the keyboard, and underneath the keyboard are post-it notes with all the person’s passwords. And so, here, even at what you would have recognized as a world-class organization and certainly a leader in being cyber secure, even there, their employees needed refresher courses on cybersecurity and not leaving post-it notes underneath their keyboard.
Alejandro Lavie: That’s right. It’s the weakest link. And again, if you want to exploit a software vulnerability in an Apache web server, and you want to try to access millions of records of any company, that’s hard. I mean, you have to have some programming skills, understanding how things work. But to access that person’s computer and just inflict any kind of damage, all you need is just access to that person, right? Know their date of birth and know which Starbucks they frequent.
Alejandro Lavie: I bought a Pineapple device, one of those online devices that you can access to spoof WiFi, went to Starbucks, within 30 minutes, I had access to probably 15 people’s computers with their photos, files. I mean, it’s so easy technologically, but if I would have gone, stepped beyond that and use some of the information that I captured, I could have easily gotten access to much more sensitive information. It’s so, so, so easy. And people in general are not aware enough, which leads to the other thing, right?
Alejandro Lavie: People are the single biggest threat to organizations when they’re not educated and alert. But when it goes to the cyber world and you have targeted campaigns against an organization from maybe a nation-state, maybe a remote operative that’s trying to access IP that’s very secretly contained, and social engineering is not as accessible, or this individual’s social engineering skills are not that exciting, then you have the issue of vulnerability management that we were talking about, right?
Alejandro Lavie: And there, again, first step, everybody says, everybody knows, know your hardware, know your software, manage your vulnerabilities. But the problem, Greg, that we see is there’s not enough intelligence out there for you to focus and prioritize where you spend your time. To your point earlier, 10 years ago, when I started in this business of vulnerability management, there were about 5000 new vulnerabilities disclosed every year. I mean, 5000 sounds like a lot, but you could tackle it with maybe two analysts using the NVD for a CBSS course and prioritizing which ones are more critical.
Alejandro Lavie: The problem is that those 5000 turned into 25,000 new vulnerabilities every year. That’s unmanageable. That’s, as you were saying, the lack of cybersecurity-trained people is skyrocketing. So, now, we have less people to manage 10 times more problems. And it’s impossible to manage. And that’s where I am getting excited about the things that I’m seeing in those road shows or events that we were discussing at the beginning, right? So, ML and AI being used to provide services to organizations, so that they can use the little stuff they have for vulnerability and patch management to prioritize where they spend their time.
Alejandro Lavie: And the reason for it is that threat intelligence, meaning understanding what vulnerabilities are actually being exploited in the wild, that service, that intelligence, because we have access now to deep forums and natural language processing, and massive amounts of data links, so that we can analyze, that part of the technology is getting really exciting. Because if you believe the providers of these technologies, about 6% of those new vulnerabilities that make it into the world out there theoretically every year, about 6% only have an actual exploit.
Alejandro Lavie: So, if I can tell you that, hey, instead of taking a look at 25,000 new every year, by the way, you have not still caught up with the ones that are five years old, if I can tell you that you should only focus on the first 6% that are actually being exploited, and are real, and present danger, and threats for you, wow, that’s amazing because now, you can spend the little time you have for patching and patching the things that matter to you.
Gregory J. Turner: That’s exactly right. And again, it really goes back full circle to your first comments, right? It’s back to basics. It’s clearly, we can’t predict every problem that’s going to hit IT, and we can’t possibly think of every way to solve a problem before we actually encounter it. But if you have good hygiene, good discipline, and good practices, it can prepare you to be alert and aware when things are starting to go awry, and it certainly can help you respond. And I think back to basics and education, the vulnerability analysis, and assessment and management, those are the key areas that I think really will lend itself to creating a more secure environment for us all.
Alejandro Lavie: Or as a friend would say, Greg, a less insecure one.
Gregory J. Turner: That’s right. Yes, that’s true. That’s true. Less insecure. Alejandro, I want to extend a great thank you and gratitude for being here with me today. This has been truly educational and amazing.
Alejandro Lavie: Thank you, Greg, I very much appreciate the time with your audience. And hey, anytime, available here for you guys, Flexera is a great company to partner with, and you guys are a great partner to us. And we look forward to doing more of these in any other topics.
Gregory J. Turner: Great. And thank you to our audience for listening. I hope you found this podcast helpful. For any questions, comments, or feedback, please feel free to send me an email at firstname.lastname@example.org. And for more information about us, visit mtm.com. At The Disruptive Enterprise, this is Greg Turner. Thank you.