Fraud Management & Cybercrime , Leadership & Executive Communication , Ransomware
ISMG Editors: CISO Disclosure Rules Changing Post-SolarWinds
Also: Ransomware Threats in Healthcare; the Growth of Mimecast Anna Delaney (annamadeline) • August 23, 2024In the latest weekly update, Information Security Media Group editors discussed the evolving disclosure responsibilities of CISOs, yet another ransomware attack targeting the healthcare sector, and Mimecast's latest strategic acquisition as part of its broader expansion efforts.
See Also: Corelight's Brian Dye on NDR's Role in Defeating Ransomware
The panelists - Anna Delaney, director, productions; Tom Field, senior vice president, editorial; Michael Novinson, managing editor, ISMG business; and Marianne Kolbasuk McGee, executive editor, HealthcareInfoSecurity - discussed:
- Key takeaways from an interview with Jennifer Lee of Jenner & Block on how the SolarWinds case has redefined cybersecurity disclosure obligations, especially for chief information security officers;
- How McLaren Health Care is facing its second ransomware attack in a year, which has caused extended IT disruptions that force patients to bring paper records and has led to widespread delays in services;
- How email security vendor Mimecast has expanded its recent string of acquisitions by acquiring Aware to strengthen collaboration security - and the impact this will have on Mimecast's overall strategy.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the Aug. 9 edition on whether Russia is waging a war through ransomware and the Aug. 16 edition on the hacking of the U.S. election.
Transcript
This transcript has been edited and refined for clarity.
Anna Delaney: Hello and welcome to the ISMG Editors' Panel. I'm Anna Delaney. Today, we'll discuss the evolving disclosure responsibilities of CISOs, yet another ransomware attack targeting the healthcare sector and Mimecast's latest strategic acquisition as part of its broader expansion efforts. Today's star panelists include - Tom Field, senior vice president of editorial; Marianne Kolbasuk McGee, executive editor for HealthcareInfoSecurity; and Michael Novinson, managing editor for ISMG business. Brilliant to see you all.
Tom Field: And you.
Michael Novinson: Good morning Anna.
Delaney: Good morning! Tom. Last week, you shared some key takeaways from your conversations at the Black Hat conference, and this week, you're diving into one of those conversations, particularly with Jennifer Lee on CISO disclosure obligations. Tell us more.
Field: Yeah. That’s a hot topic these days for our core audience. She's a partner with Jenner & Block, a law firm that represents lots of these CISOs. She's tight with the SEC lawsuit and the action going on in courts right now. So, the discussion was all about, okay in today's environment, what is the CISO's disclosure obligation when it comes to cybersecurity? What do you put your name on? What do you have to agree to? What do you communicate to your partners as well as to your customers? So, lots to talk about there, and it was a terrific interview. The interview was posted the other day. One of the points that I asked her about was, what is the CISO's responsibility in signing off on the company's own cybersecurity statement? So, I want to share an excerpt of this conversation with her.
Jennifer Lee: They need to be cognizant that the SEC is going to be looking at CISOs as a subject matter expert, and so what CISOs need to do is have clarity on what is it that they're being asked to approve, what are they being asked to review? And they can no longer be passive. This is the time to be active and ask those questions. If you're a CISO and you're CC’ed on an email and there's some kind of cybersecurity statement that's attached in that email, now is your chance to say, "Are you asking me as a CISO to approve this for accuracy?" Because in the absence of anything to the contrary, the SEC is going to look at that email and say the CISO was responsible for that.
Field: Does that sound familiar to you at all Anna?
Delaney: Totally does.
Field: And I asked because so many times we've had the conversation with CISOs about them trying to get their business executives to sign off on the risk that they're accepting within the organization if they agree to or disagree with any cybersecurity recommendations. The tables have turned a bit now. Now, the CISO is the one that needs to make sure their name is on that security statement that's representing them in their organizations.
Delaney: How do you think this case might influence the relationship between CEOs and CISOs?
Field: Yes, and it's put CFOs in there as well. It is still not clear whether the SolarWinds' CFO could have some responsibility, or at least, be taken to court over some potential responsibility. But it makes the CISO a lot more reflective on what they're getting into, what they're taking on and what they are communicating to customers, partners and even over social media statements they might be making or when they're at their various conference appearances. Now, I will tell you one interesting piece of advice from Jennifer Lee to CISOs, which is "Do Not Get Your Own Counsel." You've got to be on board with your general counsel, and this is the time to make sure that you've got that relationship there and you're being represented as you need to be. What it comes down to is there are a lot more questions CISOs need to be asking before they accept these roles to understand the kind of marriage they are getting into. You want to understand the good and the bad in sickness and in health, and you better be getting a lot of these questions answered upfront.
Delaney: There are lots of conversations happening this year on this very topic. So, there's a lot more awareness coming through.
Field: P.S., we couldn't bring up Joe Sullivan's name because she also works with Joe Sullivan, so couldn't ask her that.
Delaney: Very good. I implore everybody to watch that interview, and many more. I am aware of the several Black Hat and DEF CON interviews that you conducted; you were in charge of Michael as well. So, lots of great content coming on our sites.
Field: Yeah, they're all coming up now. So, please stay tuned.
Delaney: Brilliant. Marianne, another ransomware attack has struck the healthcare sector. This time impacting McLaren Health Care, which is facing extended IT disruptions after an attack earlier this month, forcing patients to bring paper records and causing delays and services. Tell us about this latest setback for McLaren, because I know it's not the first time, is it?
Marianne McGee: No, it's not. And that's sort of what makes this interesting. As you said, McLaren Health Care in Michigan is still suffering an IT disruption from a cyberattack that was first detected earlier this month, and the organization says it'll take at least until the end of August before it expects to fully recover its IT systems, which include electronic medical records that have been down now for almost a month. In the meantime, McLaren says most of its 13 hospitals, dozens of cancer care centers, clinics and other facilities are open and operational. But again, because IT systems are down, patients need to expect delays, postponements and the workarounds that their clinical staff has to do. That also means that patients, as you've mentioned, need to bring copies of their paper records if they have them, as well as empty medication bottles. So now, clinical staff who work at the organization tell me that nurses and other frontline workers are being stretched thin during this whole episode with heavy workloads that include manual charting and medication record keeping. Patient encounters are taking longer than usual because the EMRs and other critical IT systems are offline. One nurse told me that she and her fellow nurses are double and triple-checking their patients' medications before they give them to the patients to ensure that the information is correct and to avoid potential patient safety mishaps. Now, we've seen these kinds of long IT disruptions before at other large U.S. hospital systems like Ascension in June and CommonSpirit in 2022 and those incidents also involved ransomware. But, what stands out about McLaren, as you mentioned, is that this is the second ransomware attack on the organization within the last year. The first attack last year was allegedly carried out by the ransomware group BlackCat, which claimed to have stolen the sensitive information of 2.5 million individuals. This latest attack supposedly was carried out by Inc. Ransom - another cybercrime group. Clinicians who worked at McLaren through both incidents say that this latest attack has been a lot more disruptive than the first attack. McLaren last week publicly confirmed that, yes, this incident does involve ransomware. But beyond that, the entity hasn't said much else about the attackers or whether it paid a ransom, including the fact that McLaren is looking to see if patient data was compromised again. But, the fact that McLaren has fallen victim to an attack twice in one year raises a lot of questions, including whether or not all the vulnerabilities that were exploited by the attackers in the first incident were fully remediated. Last year, BlackCat attackers claimed that its back door was still running on McLaren's network. Now, some security experts say that it is unfortunately becoming increasingly common for some organizations to fall victim to one threat group and then another. Raj Samani, who is the chief scientist at security firm Rapid7, told me that a key consideration will always be whether the vulnerabilities that allowed initial access were addressed. He also said that over the last 18 months, his firm has seen a trend for fluid activity between ransomware groups, including sharing of code and affiliates, moving freely from one group to another. So, all this means that organizations that are hit by ransomware attacks not only need to put in a lot of hard work to recover their IT systems and to deal with any data breaches but they also need to put that much effort into the aftermath, including ensuring that any security weaknesses that were exploited or fixed so that more attacks don't happen. We don't know if that's the case here, but it's something that needs to be looked at by these organizations.
Delaney: Marianne, how does this attack fit into the broader trend of ransomware targeting healthcare? And do you see any emerging patterns in how these attacks are evolving?
McGee: If anything, this attack was yet another reminder for the healthcare entities themselves that they are also targets. Because this list last year, I wouldn't say it's just this year, it's been sort of a trend. But, the third-party attacks on software vendors, IT services vendors and supply chain partners have been a big focus, and attacks on those critical third parties in the healthcare sector have a wide impact on many organizations. But, these organizations need to realize again that they are potential targets. And, if they've also got to check the vulnerabilities that have been identified during risk analysis, and whether they have patched or addressed those vulnerabilities. That's a problem, and particularly if you've been hit once, you need to make sure that you're addressing whatever went wrong so that at least attackers won't use that again as another way to get into your systems.
Delaney: Thanks Marianne for that update. Michael, email security vendor Mimecast has added yet another acquisition to its string of recent purchases, acquiring the company Aware to enhance collaboration security. So, can you explain this recent wave of acquisition activity and its impact on Mimecast's strategy?
Novinson: I want to talk about this at two levels. First, I want to talk specifically about what's going on at Mimecast. Then, I also want to talk about what's going on more broadly in the industry, and how Mimecast's activity fits into who we're seeing acquired and what the thought process is behind these acquisitions. So, as you alluded to, Mimecast has made a string of acquisitions this year. They've made three acquisitions in the first eight months of the year. So, quickly to talk you through those, they bought Elevate Security in January, which is focused on identifying high-risk users. In July, Mimecast bought Code42 to expand its capabilities around insider risk and data security, and then Aware was the most recent acquisition focused on risk around collaboration platforms such as Slack, Teams and Zoom. What's interesting about this is first, the company got a new CEO in January, right before doing the string of acquisitions. They had been Mimecast for about 20 years, which was run by Peter Bauer - Mimecast's founder. But later, he decided to step back. He's still on the board but decided to step back after 20 years. So, they brought in Marc van Zadelhoff, who was earlier the CEO of Devo, which was a startup for a handful of years, and he jumped over to Mimecast. A bit unusual to see somebody jump from the CEO of a startup to the CEO of a more established vendor like Mimecast. But certainly, he has been more aggressive on the M&A front this year. To put M&A into context, it's the first M&A Mimecast has done since 2020. The last M&A was done in mid-2020. So, they went three and a half years without doing any M&A and then did three deals in seven months. So, it's interesting to me why that's happening. And during that dry spell in M&A, the company changed hands. Mimecast was publicly traded for a number of years. Permira private equity firm bought them for $5.3 billion, the deal which closed in the spring of 2022, almost before the economic downturn happened. So, a couple of things going on for Mimecast - one more on the technology side and one more on the economic side. I do want to get into each of them here. From a technology standpoint, there's been this push to broaden the platforms that you had a couple of these legacy secure email gateway vendors - Mimecast and Proofpoint. Proofpoint is almost more aggressive in terms of trying to broaden beyond email security. They've made several acquisitions over the years in areas such as deception technology, and in particular, have focused on data security and it's built out a pretty extensive DLP business - one that's rivals the size of what Symantec, Forcepoint or Digital Guardian have. So, that has been a big area of investment. You see this as well with newer entrants into this space, such as abnormal security, which has a bit of a different approach. It's more of CAPES, or cloud-based API email security. It’s not a gateway. There's no gateway technology. But, you've seen Abnormal do the same thing, where they started with email and then are trying to focus more on human risk management, or human risk behavior, which is a branding we've seen Proofpoint do, and now we're seeing Mimecast rebranding themselves as a human risk management provider. The idea of getting email security from a vendor, especially with this talk about platformization and all the other emerging technologies, isn't going to be as appealing. But, if you're able to more broadly address human risk, conduct security awareness training, focus on safeguarding data and collaboration tools, in addition to email, and address more needs of a company that is focused on trying to consolidate around 6-8 platforms, there may be a space for a human risk management platform. So, we're certainly seeing that move from a technology standpoint. Also, the three acquisitions Mimecast has done have been outside the core email domain. We've seen some of the broader platform players get into email security recently. Checkpoint bought Avanan a couple of years back and Cloudflare bought Area 1. If customers are looking for cloud-based API email security, they can also get it from a broader technology platform. So, try and move by Mimecast, perhaps a bit later than Proofpoint, to expand their total addressable market. The other thing to note is what's going on economically, which is that you've had a lot of companies hit a dead end, and these were especially those companies that were kind of mid- to late-stage startups that had reached at least Series C, and there isn't much of a way for them to exit. Public markets now need $500 million in annual occurring revenue to be a viable candidate to go private. Similarly, private equity, because they need to figure out how they're going to exit their investments, are looking for bigger companies. You see Thoma Bravo, who's certainly probably the most active PE firm in this space, is taking public companies private. That's been almost all their moves recently. The types of companies that are getting acquired by PEs are pretty large, and if they're not large enough today to go public, these PEs feel that within a couple of years, they'll be large enough to go public. But then, you have this whole other contract companies; they often raise well north of $100 million but have no reasonable, viable path to getting to that half a million or half a billion in annual recurring revenue. So, what we're starting to see is instead of exiting to a financial buyer, they're exiting to a strategic buyer. But, if you look at some of the acquisitions Mimecast did, such as they bought Code42, which had raised hundreds of millions, they shaved their head counts down about 50% since mid-2022 and it raised a lot of money. But, they weren't going to get big enough that they're going to be appealing to a PE firm or going to be possible for them to go public. Aware's head count was down significantly over the past couple of years, but these are companies that maybe had decent technology. Maybe that's the bet that Mimecast is making as some of these companies' technology components are strong. But, the business case didn't work. And if we take that technology and plug it into our channel - into our go-to-market engine, and we align it with some of the pieces that we have, we can extract some value from this, especially at a deep discount. It's similar to the strategy we've seen from Fortinet, which tends to be extremely conservative when it comes to M&A. We saw them buy Lacework just a couple of months ago here. Lacework at one point was worth more than $8 billion. Fortinet bought them for $150 million. They pretty much took the technology, keeping very little of the team. Or they are going to try to plug it into their sassy engine. Fortinet similarly bought a DLP provider who had kind of flatlined from the headcount perspective. So, we're seeing kind of this bargain shopping now from companies that historically have been more conservative when it comes to M&A and the Fortinets and the Mimecasts of the world and are essentially looking for good value. They can plug some technologies into their stock and their pay may be a fraction of what this would have cost a couple of years ago. So, definitely expect to see more of that, because there's a whole lot of companies that raised money when the economy was better and don't have a viable path forward.
Delaney: Very nice analysis there Michael. Thank you. With increasing reliance on cloud-based collaboration tools, how do you foresee the balance shifting between email security and the security of other collaboration platforms?
Novinson: What we're seeing, Martha and Zadelhoff also talked a little bit about it, is that if you're communicating with external stakeholders, it's usually, I don't want external stakeholders blowing up my cell phone. So, I'm usually going to be using email. But, if it's people within our company, we use Teams, mostly. Certainly, a whole lot of other companies use Slack, and more and more of the communication among people who work within the same company and increasingly even with third-party partners is happening through these internal collaboration tools rather than through email. So, it's certainly been an area that people haven't thought about as much, that people are cognizant of what a phishing email looks like or a strange attachment, but people don't apply the same level of scrutiny to a Team's message or a Slack message from somebody who they think is their teammate. So, if an adversary can take over an account and can send malicious links and attachments through Slack or Teams, they are going to get much greater buy-in than from email, where people have their guard up a little bit. There's a little bit more skepticism at this point. This is what Marc van Zadelhoff talked to me about. It's the look and feel of messages on Slack or Teams is going to be different. They're more informal. And if a lot of this is about detecting behavioral patterns, the things that may look fishy in an email might be normal in a Team's message and vice versa. So, the hope with buying Aware is that they could kind of calibrate that technology to be able to more accurately detect unusual patterns or unusual communication behavior in a way that they couldn't on their own.
Delaney: Very good. Thank you Michael. Thank you so much everyone. This has been informative and educational. Thanks for all your insights.
Field: We'll do it again.
Novinson: Of course.
McGee: Thanks Anna.
Delaney: Thank you so much for watching. Until next time.