In this episode of Security Nation, we chat with Wendy Nather, head of advisory CISO services at Duo Security, about her work bringing awareness around the unspoken issue of the Security Poverty Line (aka, how difficult it is for organizations to build effective security programs when they lack the resources to make it happen). Wendy talks about how budget, expertise, capability, and influence can influence an organization’s security standing, the issues that arise when security pros can’t agree on what’s needed to be “secure,” and the importance of empathy in understanding why organizations may make decisions that are considered less secure.
In our Rapid Rundown, Tod and Jen share their biggest takeaways from Black Hat and DEF CON and discuss being on "BlueWatch" (*cue the "Baywatch" theme song*) for RDP vulnerabilities such as DejaBlue.
Jen Ellis is the vice president of community and public affairs at Rapid7. Jen’s primary focus is on creating positive social change to advance security for all. She believes that it is critical to build productive collaboration between those in the security community and those operating outside it, and to this end, she works extensively with security researchers, technology providers, operators, and influencers, and various government entities to help them understand and address cybersecurity challenges. She believes effective collaboration is our only path forward to reducing cyber attacks and protecting consumers and businesses. She has testified before Congress and spoken at a number of security industry events including SXSW, RSA, Derbycon, Shmoocon, SOURCE, UNITED, and various BSides.
Tod Beardsley is the director of research at Rapid7. He has over 20 years of hands-on security experience, stretching from in-band telephony switching to modern IoT implementations. He has held IT Ops and IT Security positions in large organizations such as 3Com, Dell, and Westinghouse, as both an offensive and defensive practitioner. Today, Tod directs the myriad security research programs and initiatives at Rapid7. He can be uniquely identified at https://keybase.io/todb.
Wendy Nather is a former CISO in the public and private sectors, and past Research Director at the Retail ISAC (R-CISC) as well as at the analyst firm 451 Research. She enjoys extreme weather changes while shuttling between Austin and Ann Arbor.
Security Nation is a podcast dedicated to celebrating the champions in the cybersecurity community who are advancing security in their own ways. We also cover the biggest events in security that you should know about. In each episode, host Jen Ellis (@infosecjen) sits down with a guest so they can share their stories, what worked, what didn’t, and what you can learn from their initiative so maybe we can inspire you to do something new, while Tod Beardsley breaks down the biggest security headlines of the week.
Jen Ellis: Hi, and welcome to another thrilling episode of Security Nation, the podcast where we talk to people who are doing really cool things to advance security and we find out what worked, what didn't, and what they learned along the way. I'm your host, I'm Rapid7's VP of Community and Public Affairs, Jen Ellis. And with me is my amazing copilot, Tod Beardsley. Hey Tod.Show more Show less
Tod Beardsley: Hi everybody.
Jen Ellis: How are you doing?
Tod Beardsley: Oh, I am great. So far, no measles. So pretty happy about that.
Jen Ellis: Yay. For those who are not sure what Tod's talking about, other than just like being daily glad that he does not have measles, there was some sort of measles outbreak recorded in Vegas where we have just been for the Hacker Summer Camp.
Tod Beardsley: If you were there just for DEF CON, you don't seem to have any exposure. If you were there for Black Hat, you almost certainly do.
Jen Ellis: So here's the thing that's annoying, is that I have conference plague regardless. I don't think I have measles. I wasn't even really at Black Hat long enough to have measles. I just have a nasty cold, which is lucky for all of you wonderful listeners. You get to listen to me sound snotty. Yay.
Tod Beardsley: Well, hopefully anyone listening to this already has their vaccinations. If not, go get vaccinated.
Jen Ellis: Also, you cannot catch measles through listening to a podcast.
Tod Beardsley: You cannot.
Jen Ellis: Just to be clear. I'm not a doctor, but that is a thing that I know. Okay. So before we get into our interview, which this week is with one of my heroes, Wendy Nather, we're going to have a little chat about the Rapid Rundown. We were just talking about Vegas, so why don't we start there? Did you enjoy your Vegas extravaganza?
Tod Beardsley: I had a great time this year. Some years are better than others. This is one of the better years.
Jen Ellis: Oh, and you did well at the tables? Is that what you're telling us?
Tod Beardsley: I did okay at the tables. I lost very little. But I think mostly the big reason why I had a great time was because I managed to catch not one but two keynotes, and they were both great because they're keynotes so they're supposed to be great. The first one I saw was Bob Lord at BSides, he kicked off BSides there with a great keynote. Bob Lord is now the, I think he's a CISO, I think that's his title. But he's effectively a CISO at the DNC, the Democratic National Committee. And he talked a lot about how those challenges are shaping up for him.
Tod Beardsley: As we all know, election security, voting security is kind of top-of-mind for a lot of people right now. He's got a whole lot of fancy CISO background, but it pretty much boils down to some core fundamentals on how to avoid getting hacked if you're running a campaign. And that is, have your patches all up-to-date, please, have 2FA and have some modicum of anti-phishing training. You hit those three things, you're 80% of the way there. There's tons of fancy stuff to do for that last 20% but boy, it's getting serious about fundamentals is kind of the name of the game at the DNC and honestly everywhere else. Like if you are able to hit all of those things, then you can move on to things like having decent network segmentation is pretty nice to have, vulnerability management, asset management, all of those things. So hit those fundamentals, was pretty much the theme of Bob's keynote there.
Jen Ellis: Nice. I like it. I like the simple message and I think as you said, Bob does have some pretty amazing credibility, good resume. So if he says it, it must be true. For people who want to catch that, BSides generally puts videos of their talks online, free and available on YouTube. I just had a quick look, it doesn't look like it's up yet but keep looking because I think it will appear.
Tod Beardsley: They tend to be pretty quick. They tend to have them up within a month or so of whatever the event is. And then I also saw Dino's keynote at Black Hat. It was pretty great. There was an allegory about how parachuting technology advanced within a very short amount of time, and it was all because the movers and shakers there were themselves skydivers. They had tons of skydiving experience. And so the analogy here is we can get security tons better if only we recruit people in that dev cycle. Moving security to the left was kind of the theme there of it's not enough to have a security department, you also need advocates in your development, and product engineering, and web app development and all that. Getting security kind of built in. I mean, and we've talked about this for years and years and years, you know, but I think we're at a point where it's not totally alien anymore.
Tod Beardsley: Like when I talk to security people, I generally get the sense that people are aware of things like SQL injection, cross-site scripting, in terms of web app stuff. For other regular developers we're seeing more and more framework usage so you're not inventing the same thing over and over again and injecting the same bugs over and over again. So that was for me, I mean that seemed to be the theme of the Black Hat kickoff of, "Let's hold hands with those dev folks and work together and make security real."
Jen Ellis: I love that. I mean I am a huge fan of embedding security into the engineering process. I think it is a necessary step forward. And I like the fact that Dino is talking about how you pragmatically do that. Like, "Where do you start?" is always a challenge. I think people get very frustrated with feeling like they're talking to themselves or speaking a different language. So this idea of finding people who are already interested or already motivated and making them into your champions is a great one. I love it. Very cool.
Tod Beardsley: Yeah. And the fact is that they're the experts, right? So, it's a matter of getting those experts on your side and promulgating security mindset among the folks that they're bringing on. Especially for new developers, you know? Like we've been looking at, "How is security doing in academia?" And it turns out it's not a core requirement in many, many CS programs or EE programs or anything like that.
Tod Beardsley: So getting that first job as a developer, hopefully there's somebody there already has some security smarts and will tell you how to do it.
Jen Ellis: As you said, Bob and Dino are two very smart, very well respected security guys. So maybe we should try and get them to come on sometime in the future.
Tod Beardsley: "Hey guys."
Jen Ellis: Yeah, right.
Tod Beardsley: "I know you listen."
Jen Ellis: Obviously, they never miss an episode. Who would?
Tod Beardsley: So in other news, in non-Vegas-related news, we're still on BlueWatch, that is the coming storm in RDP, the Remote Desktop Protocol. As listeners of this podcast have heard before, I've been pretty worried about this. There is of course BlueKeep, which is now about a hundred and something days, by the time you hear this, out of the gate. It's shocking. Every day I wake up surprised that there hasn't been some RDP meltdown on the internet. Lots of people have their own private proof-of-concept, but so far, fingers crossed, that has not leaked and turned into a massive WannaCry-level internet disaster event. But just on the heels of that, the reason why I bring it up now is because of what's now being called DejaBlue.
Jen Ellis: Oh, I see what they've done there.
Tod Beardsley: Which is great. You know what, and I like naming vulns. I do. I will go on record. I think it makes it easy to talk about and fun to talk about on podcasts. DejaBlue is one of the four bugs that were recently fixed by Microsoft in the August Patch Tuesday set. it is another pre-authentication remote code execution. We used to say RCE, I guess now we say Wormable, but it's a big deal and there's already research work being done on that. And so between the two of them before the end of the summer... When does summer end? Sept. 21, I think?
Jen Ellis: Oh is that the official ... that's it? After that, no more?
Tod Beardsley: Yeah.
Jen Ellis: Okay.
Tod Beardsley: And we have been down this path before. We've seen RDP bugs that look super scary that never went anywhere. But I think this is different. I think a lot of people are really looking at it. But on the flip side, people are very cognizant what happened with WannaCry. There was a disaster around EternalBlue. It was already weaponized when it came out, of course. So we don't really know what the impact will be of whatever RDP disaster that does eventually get unleashed. There's quite a few nodes out there. They tend to live in things like point-of-sale systems, medical technology, again, regular old traditional networking.
Tod Beardsley: So if you believe that you're all patched, please check again. If you believe you have not exposed RDP to the internet, please check again, not that that matters much. And I mean, it's a matter of patch management and asset management here. Of knowing what you've exposed.
Jen Ellis: Great.
Tod Beardsley: Yeah, for sure.
Jen Ellis: Okay. Now we're going to go to out special guest, Wendy Nather. So for this week's episode, we have a guest that really doesn't need much intro, but yet I could pretty much ramble for hours gushingly about her. So I will try and keep it brief and just keep to the pertinent facts. So our guest this week is Wendy Nather, a certified thought leader. In fact, I think she wrote the certification for the thought leadership. She looks horrified as I say this, but it's true. It's true.
Tod Beardsley: That's the thought-plus certification, right?
Jen Ellis: Yes, absolutely. The plus is what makes it so creamy. Wendy is the head of advisory CISO services at Duo Security, which is now part of Cisco. We like to call it Disco. I like to call it Disco because I like to disco. And prior to this, she was at the Retail ISAC, which was called RSISC at the time and is now the RHI SAC or something.
Wendy Nather: Now the RH-ISAC, Retail and Hospitality ISAC.
Jen Ellis: Excellent. And in a very rich and varied cybersecurity career, you've been an industry analyst, you've been a CISO. What haven't you done Wendy Lady? You've also guided the lost boys? A bit of everything.
Wendy Nather: I don't know if Rob Graham counts as a lost boy.
Jen Ellis: Oh, one of the most lost. Hi, Rob. We'll have you on soon. Okay, so we talked about the fact that you have this majestic, varied, very impressive background.
Wendy Nather: I think the word you're looking for is sordid. Sordid.
Jen Ellis: Sordid is a good word. It is one of my favorites. What do you think is the most epic thing that you've done?
Wendy Nather: The most epic thing that I've done? Gosh, I don't know. I usually don't deal in epic. I've done some stupid things. When I was an analyst, I took a briefing in the middle of a chemotherapy session. So yeah, I've done stupid, maybe epically stupid things. I don't know. I'll have to ask people like Javad or Adrian Sanabria, who used to work for me what epically stupid things I've done.
Jen Ellis: Now that is when you don't have good work/life balance. Since you've opened the door, you've been relatively open about the fact that you had a battle with cancer, which you hopefully, touch wood, doing well now?
Wendy Nather: As far as I know.
Jen Ellis: Good. Glad to hear it. Has that had a huge sort of impact in your ... God, I've gone from very, very high level into very serious now. But has that had a big impact on how you've thought about work and career and that kind of stuff?
Wendy Nather: So I'm really proud of the fact that since October is both Breast Cancer Awareness Month and Cybersecurity Awareness Month, I managed to combine both of them by being diagnosed with breast cancer during October. So yeah, that was incredibly efficient of me. But I don't know, the thing is that chemotherapy is and radiation and surgery and all the treatments and everything that they do to you, they have a very long tail, especially the chemotherapy. It resets your immune system and it can kick off weird conditions afterwards. So even if you're clear of cancer, first of all you're still dealing with the side effects of chemo, far beyond, for years in some cases.
Wendy Nather: And the other thing is that anytime you get a pain anywhere or something weird, my oncologist freaks out and sends me for a whole bunch of CT scans. So you're always more on the alert than you were before it happened.
Jen Ellis: Yeah. It's a constant added layer of stress at the back of your mind. That sucks.
Wendy Nather: Yeah. So I think it's, tying this back somehow to cybersecurity, is that when the breach finally happens, you think it's never going to happen but when it finally happens, everything after that looks like a breach to you. So there we go. That's the best I can do.
Jen Ellis: That was very nicely done. It was very smooth. I appreciate that. I was going to ask you, whether, when you said that there's a long tail of implications, you are in fact Spiderman, but now it just feels insensitive.
Wendy Nather: Oh, there we go. Yeah. I was not bitten by any spiders during my radiation treatment. And now I'm really disappointed.
Jen Ellis: What were you bitten by? All right so if ... blah, blah. Let me think about another one. Oh, okay, so I was going to ask you if you could go back in time and give your younger self one piece of advice, what would it be? But I think it might be, "Don't say yes to doing this podcast."
Wendy Nather: No, it would probably be, "Do not drive yourself to the ER," which I also did once, speaking of epically stupid things that I did. I was in the middle of cancer treatment and I was getting short of breath and I thought my asthma inhalers just weren't working. And I went to an urgent care doctor and she did a chest X-ray and it was clear, but then she looked at me and said, "I think you need to go to the emergency room and get a CT scan of your lungs right now." So like an idiot, I drove myself to the ER and it turned out that I had pulmonary emboli all over my lungs. So theoretically I could have keeled over mid-drive or anything. So that's the one thing that I would say to myself, "Don't drive yourself to the ER."
Jen Ellis: Yeah, I mean that seems like a pretty good piece of advice. Absolutely. Okay.
Wendy Nather: Wow. This got dark really fast, didn't it?
Jen Ellis: I know. And it's funny because I feel like generally we tend to keep it quite light but nope, nope we went right there. I dove us in there. Let's talk about security things. One of the things that you are most famous for, and one of the things that I feel like I reference a huge amount on the regular, is the work that you did around the security poverty line. I probably should apologize to you for the fact that I reference it because I probably reference it quite poorly. But I think it's just a really great, I mean just even the words, I think it's just a really great encapsulation of one of the big challenges that exists in security. And I think it's just a really nice sort of terminology that people can relate to very quickly and get where you're coming from. I do always attribute it to you, but again, I may not be doing you favors when I'm doing that.
Wendy Nather: I'm sure you are.
Jen Ellis: But one of the things that we like to do on this podcast is every episode we like to have somebody on who has kind of taken on a challenge that has advanced security in some way. And I think that the work that you did on the security poverty line is a great example of this. So the idea is that hopefully it will inspire others to go take on security challenges and help advance security in some way. Can you tell us a little bit, for those who are listening who are not versed, can you tell us a little bit about what the security poverty line project entailed and why you took it on?
Wendy Nather: Well this really started when I went from working in security at a Swiss bank, where I helped to manage a budget of like $50 or $60 million to a state agency in Texas where I had a budget of zero. And as you can imagine, building up a security program when you have no budget is really, really difficult. But even if you do have budget, if you are struggling with IT in general for a lot of different reasons, a lot of different constraints, you're still not going to be able to do a lot of the things that conventional wisdom holds that you should be doing in security. So just giving somebody free software and saying, "Here you go," is not going to solve their security poverty problems.
Wendy Nather: So an example is when you're working in the public sector, the taxpayers are not going to pay for you to upgrade your hardware and your software every year when it costs money to do that both in time and in effort and in disruption, and not to mention the licensing. Taxpayers expect you to use something for as long as it works until it stops working, and then you can make a case to get something new. So we had really ancient hardware, and in fact we were stockpiling hardware replacements off of EBay because a lot of the hardware that we had was out of support and end-of-lifed. And this just makes sense when you're in the public sector so people don't understand. They say, "Why don't they patch, why don't they update?" And it's a whole lot more complicated than that because you cannot make the case for something unless it's broken, really, really broken. And the thing is that, I'm now on a patching rant, but Windows XP was a great operating system.
Wendy Nather: It works just fine and it continues to work in kiosks and in medical equipment and all sorts of places where you wouldn't expect to see it anymore. But really why would you update a multimillion-dollar piece of equipment when it's not built to be updated and it's working just fine? I think people misunderstand that. So there are a lot of dynamics to security poverty. When I was at 451 I did some research just on whether security was even affordable. And I started by asking people, security pros, saying, "Let's say that I'm a CISO and it's my first day on the job and the org has never done security before. What should I buy?" And I couldn't get anybody to give me the same answer twice. Everybody would say, "Well it depends." Some people listed like four different technologies. Some people listed 31 different technologies as bare minimum.
Wendy Nather: And if we can't agree on what orgs need for security, how can we explain this to non-professionals and how do we even figure out whether they can afford it? If we don't know what they should buy, we don't know what it'll cost. And if we don't know what it'll cost, how do we know that they can afford it? So that's why I think that the issue of the security poverty line is a big unspoken issue. Although when I was at one of your conferences, Rapid7's conferences, and I gave a talk on the security poverty line, I had people come up to me later from the audience and say, "Yes, that's us. Don't tell anybody." Yeah. This really is much more widespread than you would think. And that's why I think it's important for those of us who can afford to talk about it, to talk about it.
Jen Ellis: So it sounds like you've got a pretty great response from the piece. What was the impact you hoped for?
Wendy Nather: Well, I just wanted awareness at that point. I just wanted people to be able to speak to it. It was certainly echoed by a lot of people. But I think there's still a lot more work to be done to try to figure out how to address this. For example, there are some nonprofits that are trying to offer security services to other nonprofits because they really can't afford to protect themselves. Now that Duo is part of Cisco, I'm going to be doing some more research on this and in fact we're going to be launching a survey in a few months' time to talk with CISOs about the more specifics around security poverty.
Wendy Nather: For example, I think that there are four aspects to the dynamics of security poverty. First of all, there is the budget, there is the money, whether you can afford to do the things that you want to do, whether you control anything. But secondly is expertise, not awareness as such. I think we talk too much awareness and not enough about expertise. As if we just told somebody about security, they would be able to go do something about it.
Jen Ellis: That's not how it works?
Wendy Nather: Yeah, that's it. Because it's been working just great for the last 20 years right?
Jen Ellis: Yeah, we've nailed it.
Wendy Nather: Yeah. So there's expertise. Do you know what to do? Even if you know that you need to do something, do you know how to do it? Then there's capability. Can you do it even if you know what you need to do? So, for example, if you cannot buy new hardware because the taxpayers say, "No," or the legislature says, "No," or if you don't run your own network so you cannot put in network-based controls when you want to do that, do you have the capability to be able to do it? Do you have enough people to do it?
Wendy Nather: And then finally there's influence, which I think is also underestimated among organizations. If you're something like Microsoft or even Cisco, you're big enough that you can go to one of your suppliers and say, "Hey, you need to fix this," and they'll do it. But if you are a small organization, they'll either say, "Well, you're the only one who's complaining about this so we're not going to fix it." Or they'll say, "Well, we'll fix it if you pay us to fix it." So influence plays a big role in whether you can get things fixed that you are dependent on. So those are the four aspects.
Wendy Nather: And so we're going to be delving more into those and finding out how much of those aspects affect the organizations that we talk to.
Jen Ellis: So if people are interested in participating in that survey, should they contact you?
Wendy Nather: Yeah, I guess that would be a good start. And I'm not sure how the survey company is reaching out to people, but I can try to make connections. But there's more to get involved in doing something with this then that, because if organizations, let's say, small- to medium-size organizations can't actually afford the security that we think they need, then how are we going to fix this? And if they cannot implement the security because they're sitting on top of a tangled mess of legacy hardware and software, how do we help them with that?
Wendy Nather: So there's a lot more that needs to be done. And I really see it as being almost as difficult a problem as that of healthcare reform. I think that there is a technology issue, but there's also an economic aspect of it. There's a political aspect, there's a societal aspect to it. We're still blaming victims a lot instead of saying, "There is no way they can do with they need to do. Let's see what we can do to help them." So I think we need to make a lot of changes there. And you're a policy person, so go do something, Jen.
Jen Ellis: Yeah. Stop recording podcasts and go out and do some proper work. Yeah, I mean, I think you're right. I think there's a lot more scrutiny and focus and emphasis on the healthcare problem and everybody can relate to that. I think, one of the challenges that we have in cybersecurity is that we've spent the past 30 years telling people that it's really complicated and that they won't get it. And now they're like, "Yeah, it's really complicated. I don't get it." And we're like, "Ugh-
Wendy Nather: "Why don't you get it?"
Jen Ellis: "What's wrong with everyone?" We have to figure out how to get out of our own way sometimes, I think.
Wendy Nather: Very much so.
Jen Ellis: One of the things that's interesting to me when I hear you talking about this stuff is, we've been doing these research reports, which Tod, obviously, as our director of research is heavily involved in. We call them the ICER reports, the Industry Cyber-Exposure Reports, and they look at the top end of the market. So the cybersecurity one-percenters, if you will. Part of the reason that we're fascinated always by the results is these organizations, which are the most resourced around cybersecurity probably, and you can sort of safely assume that that's the case.
Wendy Nather: Like Captain America, Chris Hough, like unlimited budget...
Jen Ellis: Yeah. You're talking about the Fortune 500s, FTSE 250s, like those kinds of groups, they probably have the biggest budget, the most resources, very, very skilled teams. And they still get basics wrong. They're still missing things, which I'm sure Tod will happily chat about. And so how do you deal with the long tail if the people at the high end of the market are getting that stuff wrong? And Tod, maybe you could just talk to some of the examples of that.
Tod Beardsley: Yeah, I mean we take a look at things like the adoption of DMARC, which is like an anti-phishing technology that has been around forever, well maybe not forever, but several years. Turns out it makes it really hard to spoof the target domain out to customers. Also makes it hard to spoof that domain to internal people. So it's a great anti-phishing thing for internal and external. And then we see things like, we see adoption of definitely sub 50% across all the cohorts we looked at. But some of them reached as high as like sub 20% have adopted this.
Tod Beardsley: And it's baffling to me because yes, DMARC is hard. You have to know where all your IT is, where all your [inaudible 00:18:24] live. All of your email hygiene has to happen. It may take a year to roll out. It is free like in dollars, but it may take a while to roll out. But it has been out there for a while. And so we do wonder a lot and we worry a lot about if the Fortune 500 can't do this reliably, I don't know how we can expect the Fortune 10,000 to be able to do it reliably. You know what I mean?
Tod Beardsley: On other areas we look at things, just real basic stuff like, are you exposing SMB and Telnet on the internet? Can you please stop doing this? Turns out some regions are better than others at that, but again, we run into this problem of we have ... I'm with you with this awareness is kind of done, right? Because major security issues hit regular, mainstream news, everybody knows about WannaCry. Almost everyone has heard of that big internet disaster that happened a couple of years ago and yet we still are seeing the effects of it out there in the world. And so I am with you on the awareness is there but doesn't seem to be doing much. And that also is a little depressing to me because we have been saying, it's like, "Oh well if only people knew how to do it and knew that this was a problem, then they would be able to deal with the problem." So I guess I'm curious do you ... my question is, if the awareness part, is that solved? And then where do we go from there?
Wendy Nather: Yeah. Well, you kind of alluded to it yourself that even knowing that you need to do something that's free can be difficult because you've got to know what you have and just because the basics are basic doesn't mean they're easy. And so I think if anytime we look at something like this and go, "I don't understand why they're not doing it," that means we don't understand.
Tod Beardsley: Right. There is a disconnect there.
Wendy Nather: And we have to go dig in with them and say, "Can you tell us why you're not doing this?"
Jen Ellis: Ask questions? Admit we don't know something?
Wendy Nather: I know, I know. Everybody take a deep breath. We can do this.
Jen Ellis: This is how you got that certification, Wendy.
Wendy Nather: Yeah. Anytime that you find yourself thinking, "Why don't they just X?" It means that you don't understand why. And so if you pull on that thread you will often find that there is a whole bunch of links leading back to what was a really good reason at the time. Like asset inventory is actually really hard. And I know some Fortune 500 or Fortune 50 companies that have a terrible time with asset inventory or with logging where they just can't get their hands on the data that they need.
Wendy Nather: So I think this just proves that the problem is more complicated than we think it is. And if I may be permitted to be a little snarky for a minute, is that all right Jen and Tod?
Jen Ellis: I don't know. Tod, can we cope with snarkiness?
Tod Beardsley: Yes. Yes, we can.
Wendy Nather: You can cope with snarkiness. Most of the people who are loudly saying, "Why can't they just do this? This is so easy," are researchers who have their own little lab at home and keep everything up-to-date. They have no idea how complicated it is to do this in an enormous company or even a small company where you don't run half the stuff. One time with Duo we were ... we offer 10 free licenses to any small company. And I was having dinner with a bunch of small-business owners and one of them was ... some of the other ones were teasing one of the CEOs about, "Why don't you have Duo installed? It's free." And he said, "Well, we don't have anybody to install it." And if you think about it, the CEO and maybe the three other people working with him or her are very busy keeping their business afloat. Who's going to sit down and install Duo? So a lot of this makes sense. If you really go and ask them honestly and they tell you honestly, it does make sense. It's a lot more complicated than we think it is.
Jen Ellis: Yeah, there's a lot to be said about trying to ... I know that in the security community sometimes empathy is a bit of a dirty word and I think it can get overused for sure, but I think if not empathy, at least trying to understand the context of the world in which the people you're trying to persuade operate. That's sort of just a basic negotiation skill is understanding their context and what they need and then figuring out how you can help them feel like they're getting something like that and bring them to a point where you feel like you've also moved your needs forward.
Wendy Nather: Yeah, absolutely. When I joined one organization, they had not patched anything in two years because they were terrified of what would happen when they patched and the context, the background of that is that it used to be a long time ago, system administrators administered the whole stack of what they were doing. They understood everything. They pulled the cables, they troubleshooted the software, they did everything. And so they understood the system so well that they knew what would happen if they made a change. That's not the case anymore. We tend to administer things horizontally and in silos. And so if you have a bunch of people, and none of them really know what's going to happen on this one server if you make a change, then they're going to be scared to make any changes to it.
Wendy Nather: And that makes perfect sense when you talk with the people. So getting them past that hurdle and getting the right support in place to be able to start patching and being able to respond to any complications took a good while before we could get them to feel comfortable enough to start patching. So it wasn't simple. It wasn't easy. It took a while and it did get better. But I really wish that more people would spend more time on defense in real-world environments so that they would understand this.
Jen Ellis: I'm surprised that Tod has been able to hold himself back though from an impassioned plea for people to do that.
Wendy Nather: Oh, come on, come on Tod, let's hear it.
Tod Beardsley: Well, I mean, here's my cynical doom-and-gloom counterargument is that, well if there is the security poverty line and people aren't doing the things, and you're running around not patching for two years and you don't get pwned ... I mean, I know there's a difference between risk and threat, but eventually, doesn't this problem end up solving itself when? When your whole enterprise gets ransomed off, that's the point where you start doing security. I guess I just don't-
Wendy Nather: Yeah. That's exactly the point when you start doing security.
Tod Beardsley: Right? And maybe that's okay. Maybe that's the time you do it. There's a very famous quote that I cannot attribute right now about how the internet of the future will be just like the internet of today and that it will be just barely secure enough to do the bare minimum of what it's supposed to do.
Wendy Nather: Oh, that was Marcus Ranum.
Tod Beardsley: Marcus Ranum. That's the one. Thank you. Again, you have the thought-plus cert, and I don't. And that's kind of the case today, right? I mean, we talked for years and years about like, "Hey, let's not put SMB on the internet." And then eventually things shaped up and we got EternalBlue and PsExec and all the other things that made SMB attack so effective. And we're starting to see a drop-off now of SMB. We saw an initial drop-off right after the big WannaCry attacks, another big drop-off after the NotPetya on the internet as a whole. And it's still trending a little bit downwards. It's very gradual. But we'll get there eventually. So does this all solve itself? And do security people kind of make mountains out of molehills about certain best practices?
Wendy Nather: Yeah, I mean, if you look at healthcare, for example, I can fully imagine that healthcare organizations may have software from some third-party supplier that has to use SMB to transfer medical data. So they have to have it open and there was nothing they could do until WannaCry happened and then enough healthcare organizations were able to beat up on this supplier and say, "You better bloody fix this." And now it's starting to get fixed. So yeah, I think things like this are going to push when it comes down to not just a theoretical security threat, but an actual availability crisis, which is what happened with WannaCry and NotPetya. When security and availability become one and availability is the ... it coincides with safety, especially for healthcare and other things. I think that's going to be the tipping point. You're right that it's ... we will see that.
Wendy Nather: Up until now, did organizations get the push that they needed? Was it worth it for them? If it would have cost them $1 million to upgrade two years earlier because it was theoretically the right thing to do, but they didn't upgrade until now, they saved that $2 million that that they could have used for operating costs. So from a business perspective, it could have been a good decision.
Jen Ellis: Here's the thing, and I know that I am a cyber-hippie and I believe in cyber-peace and cyber-love and that I always come in with my naive, "But wouldn't it be great if the world worked like this," stuff. But here's the thing is like, yeah maybe that company saves itself $2 million over the number of years that they don't do it. But then the potential cost to them is that piece of IP or that trade secret or whatever it is. Or customer confidence. It can be as simple as customer confidence, reputation. Yes, there are lots of cases of breaches where it isn't a business ruiner. We've seen time and time again. Target's stock price went up after their breach. More people went to the store. Target handled it obviously super well.
Jen Ellis: We've also seen cases of businesses where it did have a huge cost. I think, NotPetya is cited as being the most expensive internet attack ever because companies like Maersk and Merck really suffered from getting hit by that attack. When you think about the impact of that, a company like Maersk, basically runs shipping around the world, there's a huge impact not just on their business and the profit lines. But there's also, and this is where my cyber-hippie peace comes knocking back in again, there's a huge impact on people, humans, right?
Wendy Nather: Right. Right.
Jen Ellis: People who don't get access to medicine in the case of Merck and people who don't get access to the food that was being imported on a ship, in the case of Maersk. There's huge impact to people, to customers, that kind of stuff. And so I think there is a payoff here on the idea of sitting back and waiting and it's not a good payoff. And so that's why I hope that people don't play that game. Don't play chicken.
Wendy Nather: Yeah. Let's say you're a startup, you're not going to hire a CISO right out of the gate. There are a lot of things you're not going pay for.
Jen Ellis: What do you mean? Employee No. 3, come on.
Wendy Nather: You simply can't buy all of the things when you're two people in a garage and at some point you say, "Yeah, I guess we should start doing that." And if you're lucky, the timing is correct and you've missed most of the threats. But there are other ones that you just try to ... business is all about timing. It's all about taking risks and saying, "Can we do without this for a little bit longer so that we can spend the money here and expand here?" And so this is the trade-off that everybody's making.
Tod Beardsley: Well sure, but if you're the startup today you also ... I don't know of any ... I cannot imagine a startup today buying Rackspace at a place. No one's building their own bare metal servers anymore. If you're a startup you are hosting in the AWS, in Google, in Microsoft who do have access to excellent security teams, excellent security processes. You're using web application frameworks that make it hard to shoot yourself in the foot with a SQL injection. So I do think that starting today, your startups do have a leg up over the startups of 20 years ago who did have to do all this stuff. Like you say, they had the sysadmin who knew everything about everything. Now you don't have to know everything about everything and you can farm out some of that, at least some of the basics of security to someone else.
Wendy Nather: Yeah, it is getting better. You're right.
Jen Ellis: I think this also very strongly comes down to what is your business, right?
Wendy Nather: Mm-hmm.
Jen Ellis: Like if you are a startup that has innovated some incredibly new technology that is a new way of doing things that is important, recognizing that the potential for cyber-espionage from foreign nations that want to actually basically steal your idea and create their own and then steal your market, that's actually a pretty huge thing. And that's a different level of risk, a different level of recognizing the kind of attacker you're going to be facing, for one thing.
Jen Ellis: And I use that example because we had a customer that very much fit in that in that category of they're a small startup, but what they had built was a actually kind of had the potential to be an industry game-changer. And definitely the kind of thing that I could see foreign players wanting to try and steal and replicate and go after the market. And so in that instance, the kinds of attackers they're going to be facing with. We're not talking about drive-by casual stuff. We're also talking about the potential for their business to survive. If they lose that cherry position they have with their IP, then that's it. They're done for. Like, if the secret recipe to Coke goes, then what is Coke? It's just a red label.
Jen Ellis: And don't get me wrong, I know that I just very much minimized the effect of branding. And in the case of Coke, one should definitely not do that. But with startups, they don't have that brand capital. They don't have the brand loyalty. What they have is that cool IP. And so you have to think about what does your particular risk model look like? What are the things that you need to protect? What is the likelihood that people are going to come after you and what are the kinds of people who are coming after you? And then you make an informed decision about how important security should be in that context. For some it's going to be low-level and for others it's going to be a much higher priority.
Wendy Nather: Absolutely. I mean, if you're a startup with a great IP, as Duo was in 2011 when it launched, it was like-
Jen Ellis: That was nice by the way. That was seamless.
Wendy Nather: Thank you. Thank you. Professional. If you're a startup with that IP, first of all, are you going to spend your money protecting your IP or are you going to spend your money getting your product off the ground? It's got to be either/or. And so you go along as long as you possibly can until you believe that the threat is probable enough that you need to start spending money on it just beforehand. And as you probably know, Jen, I call that the cheeseburger risk management syndrome, where you're going to eat cheeseburgers until your first heart attack and then you're going to stop.
Wendy Nather: And we all do this with risk as humans. And if we're lucky, we see the threat happen to somebody else and we feel that it's probable enough since it was somebody we know that we now say, "Okay, maybe I better put down the cheeseburger because my friend over here just had a heart attack." That just-
Jen Ellis: You're making me really hungry right now.
Wendy Nather: Yeah. I know. That's just how we operate. And as another CISO of a really, really large company said to me, something like, "We're just another breach short of a budget increase and if we're really lucky it'll be somebody else's breach." So, we rely on that as well. It's a very difficult equation.
Jen Ellis: Guys, I'm so depressed right now.
Wendy Nather: It's really tough. And so the thing is, how can we make this better? How can we provide security or help organizations get security built in onto platforms and joining platforms that already have a lot of those things built in. How do we help the current ones that are stuck, on top of a big, massive legacy, how do we help them move to something cleaner?
Wendy Nather: I have a friend who did incident response for another enormous company that had its IP stolen and afterwards, he was trying to sell them on, "Can we put the security in now?" And they said, "What for? Our IP is gone. There's no point in us doing it now. It'll just cost money and it won't help." So what do you say to a company like that? That's what we're running up against. We don't know if companies can afford what we say they need. Can we figure that out? Can we help them get it in time without too many of them falling prey to these sorts of dangers? I mean, I don't even know if anybody's even studied how many shops have folded because of cybersecurity events. How many had their investors pull out?
Jen Ellis: That would be a fascinating piece of research. I don't know how you'd go about it, but it'd be a fascinating piece of research.
Wendy Nather: Yeah. I don't know. But it would be interesting to know the real scope of the problem, not what we think the problem is. Because the problem is that we have a bias as security professionals. We're kind of like firefighters. If you ran around putting out fires all day long, you would think the entire world is on fire. And so we think about, and we deal with security incidents all the time and the availability bias can come back and bite us. And we don't realize that it really isn't quite as bad as it looks to us because we always look at the bad stuff.
Jen Ellis: Okay. So if you were going to give people one piece of advice, this is how I always end every spot with this question, what would your one piece of advice be that you would give?
Wendy Nather: Oh boy, don't drive yourself to the ER. I don't know. Don't write malware. Come on.
Jen Ellis: There are better ways of making a living.
Wendy Nather: If Jen asks you to do something, always say yes.
Jen Ellis: Really? Are you sure about that?
Wendy Nather: But buckle your seatbelt first.
Tod Beardsley: Welcome to my career.
Jen Ellis: I was going to say. I feel like Tod would give a very different piece of advice. Awesome. All right. Well, I can't decide if you've depressed the hell out of me or left me feeling like things are not as bad as they seem and it's all going to be okay. I have to go and digest it, so maybe we can have you back on in the future and I can figure that out.
Wendy Nather: Awesome.
Jen Ellis: Thank you very much, Wendy, though. It was absolutely awesome having you on as usual, both completely enlightening and thought-provoking, and entertaining as hell to have you here. Thank you very much.
Wendy Nather: Thank you.
Jen Ellis: So that’s our episode. Thank you so much to Wendy for being our special guest this week. Thank you to Tod for educating me on everything, as per usual. And thank you to our amazing producer, Bri, who keeps us in line and also has the patience of a saint. Next episode, we’ll be talking to…we have no idea, so you’ll just have to tune in to find out! It will be very exciting.