Many organizations fail to invest the time or resources in being proactive when it comes to strengthening their network and information security defenses. This often stems from thinking that breaches can’t happen to them. Unfortunately, they can, do and will. In the past, investing in point security products was effective. Today, protection like antivirus, spam filtering, and firewalls are table stakes for every organization. But they’re not enough. Today’s threat actors are more creative than ever and they’re constantly finding new ways to be successful in their endeavors.
On this episode of The Disruptive Enterprise Podcast, host Gregory J. Turner, CRO/CIO at MTM Technologies, and guest Jesse Kegley, Managing Partner at Emerge IT, discuss proactive steps to strengthen your network against these treat actors.
Who’s ready to talk about cybersecurity?
Cybersecurity: Strengthening Network & Information Security Defenses
By Gregory J. Turner, CRO/CIO for MTM Technologies, with Jesse Kegley, Managing Partner at Emerge IT
Gregory Turner: Welcome to our continuing podcast series at The Disruptive Enterprise. Today, we’re going to be discussing security challenges facing the enterprise, how to develop a stronger security posture for your organization, how to gain a higher confidence in your ongoing protection efforts, and ways to gain greater visibility and deeper understanding of all your operations and infrastructure to better prepare for all the threats encountered by your network. Organizations are under attack everywhere. The average total cost of a data breach in 2016 was 3.62 million according to a study by Ponemon Institute. The cost has only increased in the past few years
Gregory Turner: The problems are exacerbated by the lack of trained security professionals. According to a 2017 report by Frost & Sullivan, there’s actually a worldwide shortage of security professionals. The talent shortage combined with an increase in threats has led to a generally weak security posture among most organizations. Successful attacks result in huge monetary losses, loss of intellectual property, compromised client information and confidence, and lower corporate valuations. With me today on the podcast to help add some perspective and guidance is Jesse Kegley, the Managing Partner of Emerge IT. Jesse, perhaps you could tell the listeners today a little bit about yourself.
Jesse Kegley: Sure. Thank you, Greg, for that introduction. My name is Jesse Kegley, I’m a managing partner with Emerge IT. We focus on IT infrastructure solutions and tightly aligned with the architectures that Cisco system has laid out. Working with organizations all across the country, really helping them streamline their operations, implement security measures and solutions, both proactively as well as reactively in supporting threats and network infrastructure issues. I’ve been in this industry for just over 17 years and have operated both in a technical capacity as well as operating the business overall, setting the strategy of our organization with the end in sight to help people.
Gregory Turner: That’s excellent. And Jesse, thank you so much for being here today with The Disruptive Enterprise and being a part of our podcast.
Jesse Kegley: Certainly. Thank you for having me.
Gregory Turner: So, let’s talk a little bit about the ways that Emerge IT and with our partner, Cisco, can strengthen network and information security defenses to help put your organization in a better position to respond to an incident or event.
Jesse Kegley: Sure. Yeah, I really look at planning the proactive elements of expecting an event to occur and taking the necessary time and investment into planning for those incidents to occur. Too many organizations are not investing the time or the dollars in being proactive. This stems from I think a lot of organizations not thinking that it will happen to them. And so, they kind of neglect or ignore recommendations and suggestions to be proactive in this area. In the past, investing in point products were very effective. Things like antivirus, spam filtering, firewalls, these are all kind of table stakes. And in the past, they’re pretty effective, but in today’s climate, it’s really not enough. The threat actors are more creative than ever and are constantly finding new ways to be successful in their endeavors. One of the things-
Gregory Turner: Yeah, absolutely. Yeah, I was going to say absolutely. And I think what we’ve seen and probably, you’ve seen it as well, is the social engineering model of hacking is quite effective today.
Jesse Kegley: Yeah, 100 percent. All too often, we are in the executive office trying to share these experiences that other folks are having in real life and it’s unfortunately not until an event happens that the executive office sees the value in making the necessary investments.
Our partner, Cisco, has said on record that there are two types of organizations, those that have been breached and those who don’t know they’ve been breached. I think that’s probably true. What are you seeing today?
Jesse Kegley: Yeah, I think while it’s a pretty broad statement, I don’t think it’s too far off from the reality. Over the past two or three years, we’ve seen a significant increase in breaches. And to your mention, a lot of social engineering is occurring or these organizations, these threat actors are very motivated to get to the end game of breaching an organization or getting their hands on since the data. And what’s really important to understand for my perspective is that that motivation is monetary in nature. Often times, the motives are after specific records or data that can be sold, but there’s also a target on intellectual property by corporations or even state-sponsored entities.
Jesse Kegley: And then, of course, we know that there’s political motivations that are in play as well. I always try to share with folks and I try to paint a picture for them that we, in our corporate organizations, we wake up, we grab our Starbucks, we go to work and then, we have a job to do, we report to our superiors, we have objectives that we’re trying to accomplish. That’s no different for many of these threat actors. There are actual corporations with structure, reporting structures, pay scales, et cetera set up for folks to execute on these breaches and these threats. And when you kind of put that into perspective, it can help open up folks’ eyes as to really what the threat is.
Gregory Turner: Absolutely. And I think along the lines of what Cisco is saying about the two types of organizations, the way I look at it is it’s not a question of if, it’s more of a question of when and then, how do you respond, right? And I think today, when we look at some of the amount of breaches and the amount of losses of data and records that occur, some estimates are that 5.1 million records are lost or stolen every day.
Gregory Turner: And so, that kind of works out to about 59 records every second. So, probably, by the time we’re done with this podcast, somewhere, somebody’s going to have lost several thousands of records. And so, Cisco lays out a pretty neat approach, the Cisco five steps for breach readiness and response and how it prepares CSO organizations to respond. Can you talk me through that and help me understand that model?
Jesse Kegley: Yeah, absolutely. The first step is to get proactive with an incident response plan. In traditional IT as well as IT operation management, we’re all very familiar with disaster recovery and business continuity planning. For years, we’ve seen the value in having a plan if there’s a disaster to be able to continue our business and a lot of investments gone into technology and services to enable that continuity of business.
Jesse Kegley: We really need to put cyber events into that same spirit of planning. Cisco offers through their security incident and response planning service that front-end planning. So, very similar to a DRBC plan, it’s going to identify who is engaged, what are their responsibilities, what’s the communication plan, and how is the remediation going to occur. And it spans outside of just the technology as well. Things like public relations, legal implications, things like that really need to be identified and planned out proactively.
Jesse Kegley: Second is securing access to the Internet. So, Cisco’s solution to this is Cisco Umbrella. This is a layer of defense that allows organizations to place policies such as website or content filtering, but also ties into Cisco’s Talos threat intelligence network, which is a global network of known threats and known threat actors. So, incorporating that intelligence at the gateway, both for clients inside of the firewall as well as roaming out in public Wi-Fi or outside of the firewall.
Jesse Kegley: Third is endpoint protection. Cisco has a product called AMP, Advanced Malware Protection for endpoints. And this is a software application that runs on every endpoint in the organization, also ties into the Cisco Talos threat intelligence network, and provides great visibility into the entire environment. So, if a threat breach occurs, having the ability to isolate clients and have full visibility as to what devices were affected by that threat is very valuable.
Jesse Kegley: Fourth is testing the plan. So, as part of Cisco’s incident response services, there’s an element of proactive threat hunting. So, this is a component of Cisco IR that really is essential. As with all plans, they’re only effective during execution. So, partnering with Cisco on testing that plan to identify gaps will ensure ultimate effectiveness. And then, finally, emergency response. Having a team of experts to contact and get a response within hours of a request to begin working virtually before arriving on site to remediate any data breaches provides a really good piece of mind for organizations, even after doing the diligence and planning and testing.
Gregory Turner: Yeah. And I think that’s probably one of the greatest features that’s offered as part of the five-step breach readiness and response, is having that emergency response team available to you as a Cisco client. And working with partners like MTM and Emerge IT to be able to jump in and respond and support because, as we identified, it’s probably more a condition of when, not if. And having that response component at that very detailed and very instant readiness really is critical.
Gregory Turner: Talk to me maybe a little bit about some of the physical security levels and breaches you’ve seen. I mean, I can tell you anecdotally, working with clients that were very secure, Cisco clients investing in lots of technology, but you’d go in and you’d look underneath the keyboard, and you’d see post-it notes with passwords. And you think about all the layers of technology and response and remediation when we could have simply just ensured that people weren’t using post-it notes under their keyboard to keep track of their passwords. Any experience in that area, Jesse?
Jesse Kegley: Yeah. I mean, there’s a plethora of technology and services that are offered by Cisco and others out in this industry, but I’m a firm believer that our people that are working in our organizations really are our first line of defense. Human firewalls, right? It’s kind of a term that I like to say there. So, making sure that there’s good training programs in place so that those individuals are constantly up-to-date to the latest threats as well as being trained on best practices really is key there, as well as having good policies and good policy enforcement in the organization.
Jesse Kegley: From a technology standpoint, we mentioned Cisco Umbrella and that is a great technology that Cisco has brought to the market through an acquisition of OpenDNS and they’ve really improved that product and that solution into their portfolio. And so, the Cisco Umbrella solution is a DNS layer of defense. Really allowing organizations to place policies to protect from websites that users are going to, but also, it’s very, very effective in protecting against command and control activity.
Jesse Kegley: So, a lot of malware infections, regardless of how that malware is brought into the organization, one of the first things that that malware does is communicates out to a command and control server that then delivers additional payload, such as encrypting files or collecting data. Cisco Umbrella ties in with the Talos threat intelligence network, which has a very, very broad database of known threat actors and known command and control servers out on the internet based on DNS name, as opposed to IP address and can be very, very effective in blocking the further attack once that initial malware is resident on a computer.
Gregory Turner: Yeah. And I think Talos, that’s one of the hidden gems of the Cisco solution. It quite possibly is the most comprehensive, most extensive threat database known to men today. And to have that as part of the service offering, that’s just another layer of insurance and protection that Cisco clients will realize.
Jesse Kegley: Yeah, it’s pretty key. One of the things I like about Cisco Umbrella also is that it protects the computers even if they’re outside of the firewall. So, a lot of these technologies out there certainly protect computers inside of the firewall in the corporate land but being able to provide that DNS layer security for our roaming clients is really key. We need to be able to protect those devices as they leave the network, as to not allow them to come back into the network and do damage.
Gregory Turner: Now, does AMP provide methods by which you can short-circuit the additional payloads or additional controls to the command and control servers?
Jesse Kegley: Yeah. So, Cisco AMP, Advanced Malware Protection for endpoints is also pretty powerful. There are very powerful protection engines within the AMP software that utilize machine learning to identify threats, as well as automate the remediation, really preventing exploits. So, utilizing things like file reputation and that machine learning, the AMP solution can really aid in isolating devices. So, automatically pulling them off the network as well as ultimate visibility.
Jesse Kegley: One of the most difficult things when a breach occurs is being able to identify any other computers on the network that were affected by that breach. And having AMP for endpoints across all of your devices allows you to have assurance that you’ve isolated all of the devices that were affected. By having visibility in all the files that are running on all the systems in the network, if there’s specific data sets or files that are known by AMP as a part of that breach, it can identify those across the network and very quickly aid in remediation and threat hunting.
Gregory Turner: So, just to kind of summarize, I think the five steps that you laid out for us, Jesse, were plan, secure the internet, provide endpoint protection, test the heck out of the plan and then, have a component of emergency response. Is that right?
Jesse Kegley: Yeah. Those are the five steps that Cisco has laid out.
Gregory Turner: That’s awesome. And I think those are an excellent overview and I think it’s an excellent way to frame this very complex and very threatening environment in which we live today from cyber security and cyber threat in particular. Are there any other points that you’d want to raise, Jesse, that maybe some tips and tricks for our listeners out there today?
Jesse Kegley: Sure. One thing that I would mention is there’s a lot of conversation and consideration around cyber insurance. And I think it’s important to point out that while cyber insurance is becoming a necessity, it certainly isn’t going to provide relief for any reputation impact of a breach. And so, when I’m talking to various people, oftentimes, at the C level or in the executive office, a common response that I get is, “Well, we have cyber security insurance.” And it’s really just not that simple. Really, I think that the most effective approach is to have these technologies in place to be able to defend and plan for an event to occur, minimize the impact of a breach.
Jesse Kegley: But then, leverage different people and different services to ultimately remediate and limit the damage. So, having a breach coach, which is often on the legal side of things, is important. Having that cyber security insurance there to be able to aid in relief of business impact of a cyber security event, but also, the incident response, because cyber security insurance isn’t going to get in and limit the exposure and eliminate the threat of that breach. So, all of these pieces are important to work together.
Gregory Turner: Yeah. No, that’s an excellent point. And I think even with the insurance, if you don’t follow the five steps that you’ve laid out, even collecting the relief from the insurance policy may be difficult, because they require organizations to be prepared, to not be deficient in their exercise of being good stewards of cyber data.
Jesse Kegley: Yeah, that’s absolutely correct. Too many times does an organization think that they have cyber security insurance, so they’re covered, just to find out that they didn’t do the things that were expected of them. I’ve even heard stories where the cyber insurance policies are under written to just provide compensation for hardware or products that are affected, and we know that the cost of these breaches span well beyond any product or hardware operating an organization. And again, that reputation can’t be insured, right? We can’t put a number on that.
Gregory Turner: That’s right. Hey, Jesse, this has been awesome. Thank you so much for your time today. It’s been truly educational.
Jesse Kegley: Thank you very much.
Gregory Turner: And thank you to our audience for listening. I hope you found this podcast helpful. For any questions, comments, or feedback, please feel free to send an email to firstname.lastname@example.org. For more about The Disruptive Enterprise, visit mtm.com. At The Disruptive Enterprise, this is Greg Turner. Thank you.