BitSight CEO on Nation-State AttacksShaun McConnon Says Security Preparedness Falls Short
The advanced and persistent nature of today's cyber-attacks, which are often waged by nation-states, is changing the way organizations address network security, says Shawn McConnon, CEO of BitSight, which specializes in business security preparedness.
These emerging attacks are now being waged against a much wider variety of hardware, including mobile devices, he explains in this exclusive Executive Session interview with Information Security Media Group. "There is no perimeter anymore," he says. "There are many more touch-points in a company today," which, in turn, has made it easier for hackers penetrate networks.
Hackers, especially nation-state actors, know that most organizations fail to adequately address risks posed to their networks by third parties, McConnon says. "Businesses today outsource everything ... and it's very hard to ensure security when you're outsourcing."
Hackers are increasingly targeting less- secure third parties to ultimately gain access to organizations' primary networks, McConnon explains. "You can't prevent hacks. But you should focus on the information," he says. "You've got to be able to look at your third-party risk and have somebody on your team who's looking at that risk regularly."
During this interview, McConnon also discusses:
- How threat actors have changed over the course of his career;
- Why it's a mistake to rely on annual security compliance assessments to determine overall cybersecurity; and
- Why risks posed by employees and even customers can be as serious as those posed by vendors.
Before BitSight, McConnon was the CEO of several IT and security start-ups, including Q1 Labs, now part of IBM; Okena, now part of Cisco; Axent Technologies, now part of Symantec; and Raptor, which recently went public. He also helped to launch Home Away Boston, a not-for-profit organization that provides free housing for families with children being treated at Massachusetts General Hospital for Children.
TRACY KITTEN: Evaluating security and compliance is no easy task, and as concerns about cyber risks related to third-parties continually increase, more onus is placed on organizations to ensure they are adequately addressing not just their own internal cyber security preparedness, but also the preparedness of the vendors and other service providers with which they work. Here, Shaun McConnon, CEO of Bitsight, discusses why maintaining ongoing security and compliance is so challenging for so many organizations and how the evolving cyber threat landscape is only expected to complicate compliance in the future.
Hi, I'm Tracy Kitten with Information Security Media Group.
So Shaun, why is security compliance, especially as it involves cyber security, so much more challenging today than it was say, five years ago?
SHAUN MCCONNON: Well, it's more than a numbers game, Tracy. It's very similar to terrorist attacks on nation states. Nobody knows sometimes when they're going to come, in what form, and by whom. So, the explosion of connected devices, especially mobile devices, basically has made it much more difficult to protect companies from attack, or nation states from attack. A lot of times it feels like the good guys are trying to play catch up, because there are no real solid regulations, both federal or industry. Everybody's got them, but they're very confusing.
So, in terms of compliance, I'd say the lack of national standards is a huge factor for why security has become, you know, such a great challenge. It's an alphabet soup of regulations and guidelines for businesses to keep up with those standards is a constant struggle, because you have to have organizations within your company who are kept abreast on literally daily, weekly basis of what the landscape is and what it's evolving to.
KITTEN: You made an interesting point there, Shaun, about the lacking national standards as far as it comes to cyber security. We do have quite a few standards that relate to specific industries, and healthcare and financial of course come to mind. But do you think that if we had standards that applied to all industries from a national perspective, that perhaps we could help CISOs and organizations comply more readily?
MCCONNON: Compliance does not equal security, per se. They're guidelines at best, so basically compliance guidelines are good, and you can meet them. A lot of the companies that have been hacked have had good compliance to the standards in their industry or other standards and they've still been hacked. One such hack on Target did not come through the main computer system or operating system, it came from the HPAC system and the attack was launched from a partner of Target.
So, it is so difficult to see where it's coming from and the nature of the attacks. Compliance is one step, but it's just one.
KITTEN: So Shaun, how have cyber threats evolved over the last decade, would you say? How has that evolution impacted organization's abilities to maintain adequate levels of security?
MCCONNON: Basically, nation state sponsored and threats of cyber war, besides those, we've seen lots of attacks become more sophisticated and targeted, no longer looking for opportune victims, attackers have started to target companies persistently, looking for vulnerabilities to exploit. Some of the major viral attacks in the United States in the last decade, one was launched by a 15 year old kid in Canada, but the sophistication has gotten so large now, and it's been monetized to get these credit cards.
Credit cards, if you hack and get 50,000, or 30 million credit card numbers and IDs, those can be sold on the black market for a dollar a piece. So, it's become an industry, if you will, and involving lots, and lots of money. Another part of that industry is actually blackmailing companies, and people have actually paid not to be hacked.
A lot of companies, in order to do compliance, relied on what they call an annual assessment done by PWC, Deloitte, people like that. They pay anywhere from three to five thousand dollars for an assessment, but that was annually. They'd check all the boxes to show that they were in compliance, they put the assessment aside and wait for the following year to do the next assessment.
You've got to be looking at your security not from that kind of a compliance standpoint, but you've got to be looking at it daily. You've got to have reports that are updated on a literally, daily, weekly basis to show what has changed in your environment, and how do you fix it? Compliance reports, to me, are somewhat out of date and not as useful as they were five years ago.
KITTEN: That's a good point that you make Shaun, because I think compliance did perhaps play a much different role five to ten years ago than it does today. Could you give us some perspective about how you've seen the industry change? Before you came to Bitsight, you spent some time with a number of other security companies. What would you say has or have been the top two or three cyber risk changes you've seen over the course of your career?
MCCONNON: We have a dynamic threat landscape now. I've been in this business for over 40 years, and I've been doing the cyber stuff, the security stuff for 20. I had the first American firewall company, and that's when the landscape was purely a perimeter. We thought then, in 1992, '3, '4, '5, that if you could stop someone from just coming into your company at the perimeter, you were safe.
Then when we found out that people could get through the perimeter, firewalls have to be totally updated on a regular basis, and a lot of times they're not. They have rules for firewalls, and if you don't update the rules on a regular basis, people can get through. So, then I went to an intrusion prevention company and basically, that was to stop intrusions, mainly viruses, from coming into the company. But you had to know the signature of each virus before I started that company. A signature is just like a human fingerprint, it's unique, it's different to each one. In that company, we basically said, "We'll look at the behavior of the virus, not the signature."
Then the last company I started was the SIEM, which is a long-winded word for Security Incident and Event Management. We sold that company to IBM and it's now the IBM security division. In each case, we went from the perimeter, then we went inside. The SIEM was looking at security logs, but there is no perimeter anymore. People have mobile devices, people are working from home, you're on the Internet. There are many types of points into a company, so it's gone from a very static environment to a very dynamic threat landscape over the last 10 years.
KITTEN: You mentioned earlier the Target breach. Shaun, of course the Target Breach does highlight some of these third-party risks that I noted in the introduction. Are third-party risks greater today than they were when you first started out in your career?
MCCONNON: Oh, tremendously so. Absolutely. Third-party risk has definitely reached a new level of awareness, because it's such an easy way. People have not been checking their third-party partners. We have an insurance company here that was about to re-insure, this article was actually in the Wall Street Journal, and we never named the customer, but they were looking at reinsuring someone. They got one of our reports and said, "Oh my goodness, this guy has so many problems in his security landscape and his environment that we can't re-insure him."
But they go and show that partner the problems, actually their customer. Their customer fixed the problems and they got re-insured, so it's a business now. Security hacking has become a business as opposed to people who were just malicious before. Also, Tracy, businesses today outsource everything. So, you've got payroll, HR stuff, they even outsource some of their own computer environment. As such, it's unbelievably difficult, very hard to ensure security when you're outsourcing everything.
KITTEN: I'm wondering if those whole notion of outsourcing has perhaps shift the paradigm a bit from what we would say constituted basic security truths 10 years ago versus what we would say today. But are there certain basic security truths that hold true now, that also held true when you started your career?
MCCONNON: Yes and no. I've been changing my opinion constantly on a quarterly, yearly basis about that for literally a decade. That's why this is my fourth security company. Every time I'd thought I'd solved the problem, like on firewalls or intrusion prevention or in SIEM, someone came along, a hacker or hackers and figured out a way to get around it or penetrate, or what.
If you look at NSA and DoD, the basic parts of their operations that they do not want to be compromised don't connect to the network. That's a basic truth. Don't connect to the network and you should be fairly safe. Don't allow people to bring their own computers or devices into your network and attach them to your network. That's a basic truth. But in today's modern world and modern business, you cannot not connect to the network. So, you're kind of screwed either way.
KITTEN: So Shaun, shifting gears a bit, what would you say has changed from a skills perspective? In fact, what would you say are the top three or four skills or strategies that organizations should be looking for in the people as well as the security plans they put in place to ensure ongoing security, whether that's internal or external with some of these other third-parties they work with?
MCCONNON: In the last decade, there were two organizational structures that didn't exist 10, 12, 15 years ago that I've watched evolve. One was the Chief Information Officer and the other was Chief Information Security Officer, the CISO. That's evolved in the last decade, and it's important to have in your CISO role a leader who's dedicated to security performance and making the strategic decisions around that. So, awareness, you have to know, and this is an evolving thing, how to manage your risk, especially third-party risk. You have to be dedicated to security.
Some companies that I talk to now don't. They go to their IT guy or their information security people and they say, "Yeah, we're fine. No, we look good." I would tell you some of the companies that have been hacked in the last six months had very, very good scores from us but were still hacked, because we don't prevent hacking. We don't prevent intrusions. We do provide information, and I think that's the key thing. Informational awareness of your environment, and the activity. We provide a one year's worth of activity with our reports and it's important to look back. Just before some of these attacks, Tracy, the activity of people trying to probe companies in different areas usually increases by 20, 30 percent or more, sometimes 50 percent before an attack. So, you've got to be able to look at your third-party risk, you've got to have someone who's in charge of that and is looking at that daily and weekly as opposed to the annual report that people do in assessment firms.
KITTEN: So, you made a good point about the activity and the information sharing. Could you talk a little bit more about how we can use information and activity, not necessarily to prevent these hacks, but maybe to predict them?
MCCONNON: You use that special word that I shy away from, prediction. It's hard to predict anything. The thing is, you must have a quick response time as opposed to just prediction. From activity, you can say the probability of a potential attack has risen in your company dramatically. Can I say it's risen by 50 percent or 80 percent? No, but we can say it's risen, it's risen dramatically, and I can show where it's risen and how it's risen, but predictability is a very difficult word because you can predict something and if the hackers know that you are predicting attacks, they might not attack. Then just when you weren't expecting one, they hit you. KITTEN: So Shaun, before we close, are there any final thoughts that you could share with our audience about the nature of activity they should be monitoring, or areas that they should be focused on as we look out into 2015?
MCCONNON: The word most security companies are hearing from everybody is third-party risk. That's absolutely the key. It's the new dynamic out there. When you on-board a new partner, you should be checking their security posture, and you should be checking the security posture of your present partners, your top 100, 200 in a big corporation on a regular basis, on a daily basis. You should be looking for alerts in case things have changed dramatically and negatively, and have the appropriate teams with the appropriate skills and passion to make sure that they are always on the lookout for different, strange behavior around your security systems.
Make sure you have the most up-to-date security software programs, and be compliant. Start with compliance, be compliant to the standards of your industry, whether it be HIPAA or whatever, but make sure that your teams go way beyond those.
KITTEN: Shaun, I'd like to thank you again for your time today.
MCCONNON: Thank you so much.
KITTEN: Again, we've just heard from Shaun McConnon of Bitsight. For Information Security Media Group, I'm Tracy Kitten.[END]