Much of the discussion around cybersecurity is about ways to mitigate risks and steps you can take in the future, which is fine. However, it doesn’t do you much good when you are under attack right now. That’s when you need immediate response and remediation from trained experts.
One of those experts is Cisco, a strategic partner to MTM Technologies. Cisco provides a full suite of proactive and reactive services to help you prepare, respond, and recover from a breach through its Talos Incident Response service, giving you access to the same threat intelligence available to Cisco, plus world-class emergency response capabilities.
On this episode of The Disruptive Enterprise Podcast – Part 1 of a two-part series – host Gregory J. Turner, CRO/CIO at MTM Technologies, and his guest Sean Mason, General Manager of Cisco Talos Incident Response at Cisco, discuss how MTM Technologies helps its clients by evaluating existing security plans, developing new plans, and providing rapid assistance when they need it most.
Who’s ready to talk about cybersecurity incident response?
The Disruptive Enterprise – Cybersecurity: Immediate Response & Remediation (Part 1)
By Gregory J. Turner, CRO/CIO for MTM Technologies, with Sean Mason, General Manager of Cisco Talos Incident Response at Cisco
Gregory Turner: Welcome to our continuing podcast series at The Disruptive Enterprise. In previous podcasts, we’ve talked about enterprise security and ways to minimize risk and exposure to threats. We know that organizations in every industry in geography find themselves under unprecedented attack that have led to significant losses as measured in money, intellectual property, and compromised client information and confidence and of course, lower corporate valuations.
Gregory Turner: We often discuss ways to mitigate these risks and steps you can take in the future, which is fine. However, it doesn’t do you much good when you are under attack right now. That’s when you need immediate response and remediation from trained experts. One of those experts and it’s a strategic partner of MTM is Cisco. Cisco provides a full suite of proactive and reactive services to help you prepare, respond, and recover from a breach through their Talos Incident Response service. With Talos IR, you get access to the same threat intelligence available to Cisco, plus world-class emergency response capabilities.
Gregory Turner: As a Cisco partner, MTM Technologies works with its clients to evaluate existing security plans, develop new plans, and provide rapid assistance when you need it most. Today, I’m pleased to have as my guest on this podcast, is Sean Mason. Sean is the General Manager of Cisco Talos Incident Response and a leading expert in cyber security. He’s responsible for all aspects of Talos’ customer-facing global incident response business and practice. Why don’t you tell us a little bit more about yourself?
Sean Mason: Thank you guys are having me. I appreciate it. A little bit about myself, I actually came to Cisco really four-and-a-half, almost five years ago at this point. And was really tasked with, really, kind of a grand idea, which is, “Hey, how do we build an incident response organization for Cisco and our customers?” And really, over the years, we’ve put together just really piece-by-piece, brick-by-brick, if you will, what I like to think of as a world-class organization that, as you kind of hinted to, it handles all the way from the typical data breach, the incidents, all the things that kind of hit the news, if you will, to some of the more proactive things that we tend to spend a lot of time on. And unfortunately, a lot of folks don’t spend maybe too much time on, in the areas of things like tabletop exercises or something maybe as simple as you have an IR plan. So, that’s a little bit about me and maybe the team in a nutshell without going too far down the rabbit hole today.
Gregory Turner: Sure. Well, thank you very much, Sean, for joining me on this podcast. And I’m sure our listeners will get a lot of valuable information out of this. So, let’s dive right in. Cisco often says that there are two kinds of organizations, those that have been breached and those who don’t know they’ve been breached. Is that the case for customers you work with and maybe you can tell me about the types of situations you and your team have found clients dealing with today?
Sean Mason: Yeah, that’s an interesting question. And I hear a lot of the catchphrases, the slogans that are out there, and I’d say there’s probably a third one that’s probably not there, which is maybe those who maybe have been breached and maybe they’ve learned from that and then, they really have kind of, I’d say, their house in order, right? Maybe they’re not necessarily breached today, but they’ve gone through and learned those lessons. Sometimes, I’d say that there’s also the folks who’ve gone through and had those breaches who maybe haven’t learned their lessons, right? And they may be, still today, don’t necessarily know that they’ve been breached.
Sean Mason: And as I’m saying that, I’m even wondering, too, that there’s also maybe even another paradigm, which is, there’s folks today who maybe think they have their house in order, but they might have adversaries earning under their network right now doing all sorts of things that they just may not be privy to, maybe setting up shop, maybe getting a foothold, maybe exfiltrating data ahead of maybe a larger attack, if you will, which is definitely something we’ve actually seen in the last couple weeks.
Gregory Turner: Right. And as you said, there’s probably other types of clients, those that have been breached, but those that still fail to take all of the necessary actions to protect them from the next one. And either it’s a matter of time, resources, or money. And so, I think it’s great that Cisco and the Talos Incident Response group is there, because it can really help clients who just don’t know how to attack this problem on their own.
Sean Mason: Yeah, I think that’s it. I think maybe a way to put it is it’s really not black and white, right? There’s a lot of different organizations out there. And for one reason or another, they’re on a different spot, right? And it’s not necessarily good or bad, right?
Gregory Turner: Yeah. And frankly, sometimes, it’s a min/max strategy, right? What’s the maximum protection I can get for the minimum cost or disruption to the organization? And sometimes, that’s just not enough. But I think we look at some of the world-class organizations and some of the best security organizations on the planet, they do excel at preventing, defending, and responding. And I think it really boils down to a key aspect, is having an intelligence-driven approach to security. I think the Talos solution certainly plays into that intelligence-driven approach. Can you talk a little bit about that approach?
Sean Mason: I can. And I’ll hit on a question I didn’t initially answer with the first one because you kind of got me hung up on the black and white, which is, “What types of organizations are there?” But I’ll use a backdrop of the last couple weeks that we’ve been dealing with here and it’s really around the Maze team, if you guys are familiar with it. And now, even today, there’s a lot more copycats coming out of the works, which is for years, we’ve been dealing with ransomware.
Sean Mason: And almost to the position, to the part where it’s almost automatic in terms of our response and the questions that we ask, right? And I will say this, that we’re always talking about making IR plans and playbooks, definitely, we have our own plans and playbooks as well, right? So, that said, in the last couple weeks, we’ve actually seen a change in the attacker’s approach, right? And they’ve actually been going through and not just getting a foothold in an organization, but going in, looking through the organization, getting the foothold, but then, also exfiltrating data before they go through and lock up the environment.
Sean Mason: So now, they’ve added a new twist to the things that are going on in terms of the ransomware arena. And when you talk about the intelligence aspect of understanding what’s going on and why it needs to be an intelligence-driven approach, if you didn’t necessarily take the time to understand that, to learn about it, to read about it, to hear it maybe from Cisco Talos Incident Response, because we actually send an emergency bulletin out to our customers. We actually launched a blog post yesterday that had more details about what was going on and what we were seeing.
Sean Mason: If you didn’t understand that that was happening and didn’t understand what to look for in your environment, you’re not doing yourself a service, right? You’re just thinking, “Hey, there’s this ethereal idea of an attacker out there and I have to defend against everything.” When realistically, you should be looking at very specific indicators to help you prevent, defend, and ultimately, respond as well.
Gregory Turner: And this new type of intrusion, how do people normally see that?
Sean Mason: A good question. I’d say they normally see it because the machine stopped responding. Hence, the reality of ransomware that we’re dealing with. And maybe I laugh and a little bit of a dark humor, but it’s just something that we’ve dealt with just day-in and day-out for years at this point. And I’ll hit this one specifically, and stop me if you don’t want me to go down this rabbit hole, but I think it’s really interesting as we have really seen, I’d say, the next evolution, the next generation of attacks here, which again, even today, there’s more and more adversaries, I’d say, starting to copycat this approach.
Sean Mason: So, I think it’s actually kind of important for your listeners to hear about. But you don’t necessarily need to get to the point where you come in on Monday morning or Wednesday morning and your environment no longer is up and running, right? There are key things that you can be looking for especially in this type of attack, which would be maybe some of that exfiltration piece, which is going to happen ahead of the ransomware being deployed within the environment, right? So, for example, in some of the information we published was if you’re seeing FTP out from your organization, maybe you’re seeing gigabits of traffic going out, you might have an issue that you need to look into further before maybe it becomes a full-blown ransomware case on top of the blackmail that these adversaries are performing as well.
Gregory Turner: Right. So, it’s really that intelligence that allows you to understand that there’s an anomaly in your architecture, your infrastructure that’s going on and that is probably a key indicator that they’re making their way into your organization to create this ransomware attack.
Sean Mason: Exactly. Right. And I think again, that comes back to the intelligence aspect of things, right? The more we know, the more the organization knows, the more we can essentially instrument our tools either to prevent, attack, or respond appropriately, right? And again, that’s what we at Talos, do all day, every day.
Gregory Turner: Right. I think it’s pretty impressive. And I don’t know if you could share any of the statistics about the incredible Talos knowledge base and how often it’s updated and refreshed to provide this updated intelligence.
Sean Mason: That’s an interesting question, right? And I would say years ago, that was something that we looked at doing and we were actually quite proud of the numbers. But over time, and you look at the industry, I think, as a whole, it really becomes just a numbers game, right? “Hey, my number is bigger than your number, so I’m better at X than you are.” So, we actually got away from that, which, full disclosure, I’m actually really happy with, right? Because you go to one organization, they go, “Hey, we see 1 million threats” and then, you go next door and they go, “Well, we see 1 million and one”, right? And it’s just this back and forth battle that you can never win.
Sean Mason: To me, it’s more about what’s the value, what’s the quality, what’s the efficacy of what you’re seeing out there, and how are you actually taking that information and turning it into things that are actionable not just for the customers, but especially at Cisco Talos, one of the things we really pride ourselves on is powering the engines that run a lot of our tool suites all the way from our next gen firewalls to things like AMP for Endpoints, so on and so forth, right? So, to me, it’s more what you’re seeing, what you’re digesting, and what you’re turning into actionable insights at the end of the day.
Gregory Turner: Yeah. No, I agree. I think that’s always very important, is really the value of the information versus the number of rows in the database.
Sean Mason: Yeah, that’s a really good way to put it, right? Although, I think some of our friends maybe in social media who might be doing nefarious things with our data, we won’t name any names, right? It might be how much data they have and aggregate, it might be a sum game, but that’s a little bit different, right? It’s a little different than what we deal with here in security.
Gregory Turner: Right. So, I think from the Cisco approach and the Talos Incident Response retainer service, there’s a series of solutions that you provide a series of very specific service offerings. And what I was wondering is if maybe you can kind of walk me through, walk our audience through some of the types of services that you provide and how it relates to different situations. Like obviously, as an example, the emergency incident response kind of is dealing with, “I need help right now.” What’s usually included in something like that and how does that work?
Sean Mason: Yeah. So, it’s a good question. And frankly, it’s probably a question that will take an hour. So, I’ll try to maybe hit a couple highlights for you and your listeners. So, first and foremost, when I think of incident response, I think when most people think of incident response, they go, “Hey, there’s something happening right now. I have an incident. I have a data breach. Heck, every once in a while, we deal with an insider case. We have a ransomware”, something’s going on.
Sean Mason: And very rarely, although it does pop up, “Hey, there’s just a random piece of malware from 2009 and somehow, it got unleashed in our network”, right? Believe it or not, we still get those calls every once in a while. That’s usually what IR teams are known for. And when you talk about what you do there, I can tell you this, every single incident is different, right? And it’s not just a technical look at the world, right? It’s not just, “Hey, you need to come in and solve the ones and zeros,” especially nowadays and it’s really, really morphed over in a number of years, I’d say, here, there’s a lot of—how do I put it? I don’t want to say administrivia, but there’s a lot of, we’ll say, incident commanding that needs to happen, right? And why I say incident command, because there’s a lot more players than there used to be.
Sean Mason: So, I’ll give you some examples, if you look at maybe an organization that’s got hit with ransomware and maybe they can no longer build widgets or maybe they can no longer ship widgets or maybe they’re an upstream organization that provides services to other organizations. Well, maybe those other organizations are now impacted, right? Maybe they actually can’t work because of something that happened higher up the chain, if you will.
Sean Mason: And when you look at that, yeah, there is definitely the ones and zeros, “Okay. What happened? How did they get in? What did they do?” Back to the Maze team stuff that I’m talking about, “Did they exfiltrate any data? How do we get them out? How do we contain the situation? How do we get things back up online?” There’s definitely a lot of those, we’ll say, IT-related questions that come up, but there’s also a lot of other things that come in line.
Sean Mason: First and foremost, we’re talking more and more about cyber insurance these days, right? And, “Hey, have we understood what cyber insurance you may or may not have? “Do you understand what’s in your policy? Do you understand the concept of business interruption? And what does your policy say about that?” Additionally, we’re seeing more and more lawyers being involved, right? So, it’s not uncommon to come into an incident, you look around, you go, “Oh, boy. We need to get Counsel on the phone”, right? Because if you think about the example I just portrayed there or maybe you have some downstream organizations that are impacted, well, maybe they can’t make widgets, maybe they can’t sell, maybe they can’t book customers, whatever it might be, you might actually be impacting them also at the end of the day.
Sean Mason: And that, especially in our lawsuit-happy culture, may lead to a lawsuit coming your way, right? So, you need to make sure that your attorney is engaged as quickly as possible. So, those are just kind of two examples, but the point being that incident response is not just an IT problem anymore, right? There is a lot more that goes into that. And I hate to call it administrivia, there’s a lot more to it, but there’s a lot of the, we’ll say, risk management pieces, if you will, that truly have to take place during emergency response.
Gregory Turner: Well, I think that’s the nature of it. One of the things we’ve learned is that cyber security is no longer just an IT problem, it’s an enterprise problem.
Sean Mason: Absolutely.
Gregory Turner: And risk management and mitigation are also at an enterprise level. So, I think that’s great that with your emergency incident response program, you’re presenting those checklist of things that our clients need to know and can be better responsive to the situation. And I think insurance is important. But again, what I have found in my experience, Sean, is that after an incident, after the breach, after the damage is done and then, you go to collect on the insurance, often, companies are faced with trying to prove that they had done the due diligence to a sufficient level before the breach occurred and therefore, still are worthy of getting reimbursement or getting the coverage paid.
Gregory Turner: And in many cases, had they done the things that they have to try to show that they do now through due diligence and so forth, they might not have been breached in the first place. And so, it’s kind of, don’t sit back and just assume that if you have insurance, you’ve got this thing covered. You really do need to have the full, from risk assessment, risk management all the way down to having a playbook and plan in case of an incident occurring.
Sean Mason: Yeah. I mean, I think you hit the nail on the head. And a term I’ve used this year to talk about cyber insurance, and I don’t want to get too far off the reservation talking about it, but I think it’s a fascinating topic, because it’s really changed the environment that we operate in. And as I said, the one term that I’ve used over the course of this year is cyber insurance is not a get-out-of-jail free card, right? And I’m sorry, but it’s not.
Sean Mason: It should truly be for your worst day. And unfortunately, for some of the folks we’ve seen out there, we had to encounter or work with them time and time again, right? And at some point, you really do go, “Hey, are you taking into account the recommendations, the ways these guys are getting in, the information you’re getting back? How are you hardening your environment?” And yesterday, that was more of an IT problem and now, to your point, I think it’s becoming more of an enterprise level risk problem, which is who to say-
Sean Mason: And I don’t want to go too far here, but when you think about some of the things that you’ve seen in the news, some of the lawsuits that are happening, some of the back and forth that’s been going on, you really have to take a step back and say, “Hey, just because this is an IT problem doesn’t mean it’s not necessarily an enterprise-level problem. That maybe will actually have downstream repercussions if and when we do encounter an actual true crisis within our organization”, right? It could just be as simple as not following a couple things that we recommended or some basic hygiene things in the network. And that could be truly detrimental to the larger enterprise.
Gregory Turner: Right. A good example, just a quick anecdote is I had a client that had all the best intentions, knew that their Windows 2003 servers were obsolete, knew that Microsoft no longer supported them, knew that they were no longer being maintained for security patches in the operating system, but they could only re-platform their application set over time, because that’s all their funding was and that’s all that they could do. And unfortunately for them, one of those intrusions got in through that and seated itself to then eventually create a ransomware incident. And so, what you pointed out is exactly that. Sometimes, it’s just either an oversight or it’s just fiscal realities that prevent you from being as secure as you could possibly be.
Gregory Turner: Please join us for part two of our podcast with Sean Mason, General Manager of Cisco Talos, in our next episode of The Disruptive Enterprise. For MTM Technologies, this is Greg Turner.