CyberWire-X 9.26.21
Ep 19 | 9.26.21

Why it’s time for cybersecurity to go mainstream.


Dave Bittner: Hello everyone and welcome to CyberWire-X, a series of specials where we highlight important security topics affecting organizations worldwide. I'm Dave Bittner. Today's episode is titled, It's time for Cybersecurity to go Mainstream. The commonly held idealized picture of technology is that tech makes our lives easier, safer and better in just about every respect but an unintended consequence of that picture is an unjustified assumption that companies will sell more products if they serve the public interest and that may not be so. On the consumer side, personal technology investments are often a race to the price bottom with little attention paid to the security of the products we buy. Vendors may enjoy less scrutiny and accountability but that's not necessarily in the consumer's interest.

Dave Bittner: Good things almost always come when technology steps out of the shadows and into the light of the mainstream. It's time that happened in cybersecurity where everyone from suppliers to consumers has a role to play. In this episode of CyberWire-X our guests will discuss achievable steps the government, private sector and the broader public can take to start moving the needle on cybersecurity. We'll discuss risk, accountability and above all transparency. A program note, each CyberWire-X special features two segments. In the first part of the show we'll hear from industry experts on the topic at hand, and in the second part we'll hear from our show sponsor for their point of view. And speaking of sponsors, here's a word from our sponsor, Tanium.

Dave Bittner: To start things off, my CyberWire colleague Rick Howard speaks with Dr. Georgianna Shea from the Foundation for Defense of Democracies. The second part of our program features my conversation with Chris Hallenbeck, CISO for the Americas at Tanium, our show sponsor. Here's Rick Howard.

Rick Howard: On May 12th 2021 the United States President, Joe Biden, signed Executive Order 14028 mandating that all Federal information systems meet or exceed specific standards and requirements for cybersecurity. The list of improvements was long but one item specifically stood out as something that the network community hasn't really tried yet, but if successful could spill out to the rest of the world as an International Standard that both governments and the private sector can work together to make it reality. The item is something called a Software Bill of Materials or SBOM. So I invited Dr. Georgianna Shea to the CyberWire hash table. George, to her friends, she's the Chief Technologist at the Foundation for Defense of Democracies.

Dr. Georgianna Shea: I'm the Chief Technologist for the Transformative Cyber Innovation Lab, also known as the TCIL, and my job there is to demonstrate good technologies or processes that moves the needle on cybersecurity.

Rick Howard: George, let's start with some basics. What is an SBOM and why do we need it?

Dr. Georgianna Shea: The SBOM, the Software Bill of Materials, is a list of all the nested software components within a software package. Software is on average 75% open source and other software entities, coders don't go through and reinvent the wheel, they reuse different software programs out there to run different functions on things that they don't have to recreate. So, so the SBOM tells you not just the problems of the software but like I said the other components that are included in it as well.

Rick Howard: So it's not just a software application like Gmail let's say, but it's all the software libraries and bits of code that developers don't recreate every time they make something new. They're, you know, taking that stuff from all over the place right. That's what we're talking about here, is trying to get a listing of what that is.

Dr. Georgianna Shea: Correct.

Rick Howard: You authored a paper called A Software Bill of Materials is Critical for Comprehensive Risk Management, and you got volunteer research help from JC Herz and John Scott from a company called Ion Channel and Arun Majumdar from a company called Virgil Systems and you talk about what you were trying to accomplish with the paper.

Dr. Georgianna Shea: My background isn't an expert in software development, my background's cyberthreat, cybersecurity. So one of my, my big concerns is and has been the supply chain. In, in the supply chain it's difficult to go through and assess what are the risks that are in hand of the software that you're getting and when you're developing contracts in large organizations like DOD for weapon systems, for our tanks, for our aircraft, for all of our major acquisition programs there's a contract that's written to a company, they then say okay we're going to write the software for this program and you get the software and it becomes tested and evaluated usually based on the, the known CVEs, your common vulnerability and, and exploits that might be included in the software.

Dr. Georgianna Shea: A big concern of mine and, and everyone that is in the cybersecurity world, is you have risks within software before they become known vulnerabilities and a great example of that is the solar winds last year. in 2020 there were no CVEs, there was no issue, it's wonderful, you can put it in everything but then as soon as the CVE is put out in January 2021 now there's a known vulnerability. All software is like that, it's a point in time security when you do evaluations and look at what, what's currently there. There's early indications of issues that are in the software that may bubble up to become vulnerabilities later, like those dependency softwares not having a maintenance tail to them, being developed from unknown committers on-line, the people who are writing the code, the different type of attributes that are there, the software licensee and the versioning, the dependencies, the code origin, all of those are indicators of vulnerabilities that may become a threat later, providence in the scrutiny on that code to be a little more thorough than what it currently is.

Dr. Georgianna Shea: So when you purchase software, you should know, oh I'm buying this one piece of software but it has four dependencies below it and then when you look at those four dependencies below it, you may have 900 dependencies which is the case in the pilot that I did. We had taken a software that was available on GitHub, publicly available, no CVEs, so it looks great code, looked at it and it had about, you know, seven dependency softwares within it. Started to go through and look at the analysis of those seven and it was well over 900 and, and I have to credit Ion Channel for this, 'cause they're the software supply chain company that goes through and does this type of analysis, and if you really want to get scared please talk to them. You can talk to JC Herz or, or John Scott on the type of analysis they can find.

Dr. Georgianna Shea: You can go through and, like I said, look at the originator of some of the code, that third tier code and find that oh these are Chinese nationals that work for the government and they're putting bits of code out there, and it's being absorbed into a larger software that then eventually comes into different systems but without any actual software bill of materials, you don't know what you're getting. And it's really impossible to go through and develop that risk management plan if you don't know what it is you're getting. I almost guarantee that with every Software Bill of Materials once you do the analysis on it, you're going to find vulnerabilities, but it's understanding what those vulnerabilities are, those leading indicators of potential vulnerabilities and, and accepting that risk.

Dr. Georgianna Shea: So I think that's fine for some systems if, you know, I'm developing a, a system that I don't really care too much about, but if I'm developing some type of, you know, sensitive system, a military weapon system then, then I would want the providence and the scrutiny on that code to be a little more thorough than what it currently is.

Rick Howard: The idea of a physical supply chain has been around for years. In my last gig we sold hardware and you can bet your bottom dollar that we knew exactly where we got each widget from and the companies and manufacturing processes that each of those widgets depended on, in case there was a supply shortage or a critical threat or whatever, so that we can find other sources for those widgets in a timely manner. But for the software piece of the manufacturing process, the community has kind of thrown our collective hands in the air, thinking that it was too hard to replicate those same hardware processes in the software world. The SBOM idea is the step towards solving that problem but in the paper, you say that an SBOM can be used for compliance before you even purchase the software.

Dr. Georgianna Shea: When you do software contracting you pay this company, develop this software for me and there is requirements that are associated with that but really no way to go through and, and ensure that they're meeting that compliance. There's a, you know, continuous monitoring that you can do on software and that continuous monitoring can go through to those tier two, tier three level softwares as well, so you can see how well they're being maintained, when is it changing, where is the new versions coming out. So it was really an eye opening experience doing this pilot project with Ion Channel, because they do this temporal analysis on the supply chain of the software, and the way they do that is you can plug into the repo where your, you got your configuration management and on the software development, so you can see what's happening there.

Dr. Georgianna Shea: So you can see when a software is in compliance, then when it falls out of compliance and, and for a lot of the software that they look at, you can see that it's in compliance, just before some type of deliverable to their client but then once it gets delivered it, it's no longer being maintained, so that it falls out of compliance. Or you can see software that's really well maintained, it has that in compliance, out of compliance because a new CVE popped up so then it's fixed and it goes back into the green, and you can see that okay it's being taken care of and people are following the vulnerabilities out there and they're updating it. You know like I said, if you're not doing that continuous monitoring piece of the software and the components of the software, whenever you do any type of evaluation it's just a point in time security and then I go back to that SolarWinds example where it's good in 2020 not good in 2021.

Dr. Georgianna Shea: In DOD a couple of years ago they've come up with some new acquisition pathways that rapid acquisition filled in rapid prototype filled in the middle tier of acquisitions, so if anyone's familiar with DoD acquisitions, it's usually like that long chart of 30 years to go through and do anything. If you haven't seen the movie Pentagon Wars, watch that, it's a great example.

Rick Howard: Pentagon Wars is a 1998 movie starting Kelsey Grammer, Cary Elwes, Viola Davis and a bunch of other that guy actors that you've all seen over the years and so captures the essence of the military procurement process that the US Air Force makes it mandatory viewing as a cautionary tale for all students taking the material command acquisition training class.

Dr. Georgianna Shea: It's a great example of, of DoD acquisitions, you're like oh, oh, that's so true but spend 30 years trying to field software based products, so there's new pathways and they encourage reuse of software, reuse of components, rapid prototyping, but then you've got to ask yourself, okay if it's, if it's rapid what are they doing for testing? So you can reuse test results which is a big red flag if you're reusing software test results, 'cause it's a point in time. So again go back to the SolarWinds example, if there's testing example, if they had the done testing in 2020 and now we're going to reuse those results and say great, let's use that software and this new space forest thing that we're building, now it's got a back door on it but we're looking at those test results from 2020 and using it and it wasn't continuously monitored and updated and being looked as now vulnerable in 2021.

Rick Howard: In the paper you mention something about immutable auditing, can you talk to me what immutable auditing is?

Dr. Georgianna Shea: Yes. So it's the block chain history of the software. If I'm going to use an SBOM and I'm going to circulate it and I'm going to have other people use it, you have to have a way to ensure that it hasn't been changed. The immutable audit ability is, is much like, you know, your crypto currency using block chain, everything else using block chain, it's a way to ensure the integrity of the record that you're looking at.

Rick Howard: And so who would have authority of that kind of thing? I keep going back to general-purpose libraries, like a Linux library, you know, for a print driver okay, who's the authority, you know, how do you guys decide that? I mean not you guys but how, how do we decide who's the authority?

Dr. Georgianna Shea: The close authority would be the, the software developer. I, I see the, the Software Bill of Materials being integrated with the configuration management processes, so as you're going through developing, bringing software, updating it, all of that gets fed in through that immutable audit ability and they're holding that record. But then given that open source ledger version of it to an organization like, like CISO, if they were taking this on or like for JFAC if you're talking about DoD, so you have that place that you go. And when I say that place that you go it, it's, it's easier in DoD to point to that place you go but it's harder outside of DoD.

Rick Howard: So give me the bottom line here George, peer into your crystal ball and forecast ten years into the future, assume that we're 100% successful deploying SBOM technology in process and also assume that the entire thing has been accepted by everybody around the world, how does it work day to day? If I'm working at a company ten years from now, I somehow feed my software list into this International SBOM system, what happens next?

Dr. Georgianna Shea: So the Software Bill of Materials that you receive when you purchase a software.

Rick Howard: Okay.

Dr. Georgianna Shea: You can now go through and determine okay is it still within the contract requirements for compliance? Did they deliver what they were supposed to? Have they been developing the way they were supposed to? So I think that's one aspect of it.

Rick Howard: That's a really good point I didn't catch right. So you're a DoD government person, you say, your software has to meet these requirements, now that you have a listing of all them, clearly these ten things are not part of that, you need to come back with a different solution right, you can do that right away.

Dr. Georgianna Shea: That's, that's what I was talking too, earlier about the compliance aspect, there's going to be different requirements in there for the software, like you can't use Huawei technologies, hypothetical, let's just say I'm a company, I, I'm going to build some software, I use some open source stuff out there, oh it's a, it's a Huawei library. So now I've just sucked Huawei libraries into my DoD weapon system software and I handed it to the government, and the requirements is that it's vulnerability free, or only CAT 1 vulnerabilities. I'm like okay, it's, it's vulnerability free because there's no CVEs identified in this, but it just happens to be written with all Huawei libraries.

Dr. Georgianna Shea: But nobody asked, so I'm not going to tell them and I honestly didn't know it was a Huawei library because I got it on GitHub and it was embedded in something else that I used. So you can see how it just becomes rabbit hole of vulnerabilities there, and without a way to go through and enter that compliance it becomes hard to go through and, and accept and hold contractors feet to the fire in what is it they're delivering.

Rick Howard: It takes the burden off of the government let's say and puts the burden back on the contractor and says, go use libraries that meet the right criteria right?

Dr. Georgianna Shea: We, we've given the contractors the requirements to go through and, and do certain things but it's to ensure that compliance, 'cause once you get the software, okay run it, okay it works, it does what it's supposed to, and then you, you know, run a, a vulnerability scanner across it and there's no CVEs, perfect, excellent. Maybe some dynamics that a good analysis will take place but that's not going to give you those early indicators that you can, you know, still go through and find that it was, you know, developed by the Chinese offensive cyber division of whatever organization.

Dr. Georgianna Shea: Back, back to your question, what does the, what does it look like? So on the repository side, you mentioned International, so I see this first starting in DoD 'cause it's always easier to make them do things versus the free world where they, they have a choice. Then moving that national structure of the puppet private partnership where you would have a belly button like CISO that, that takes the reins on something like this and facilitates how it's going to work, and then at the International level where we work with our NATO and UN partners on establishing best practices and how it's going to work, publicly available SBOMs would be available. So when you now as a consumer are purchasing software, you can go through and, and check up with that open source ledger and determine, okay there's integrity here in this SBOM, nothing's been changed, you don't have to worry about unknowns here because it's already been vetted, looked at and continuously monitored and now it's being stored.

Rick Howard: The software bill of materials or SBOM is a fantastic idea and that's the good news. The bad news is that it's a brand new idea too. We just started thinking about how to deploy such a thing. It's going to take us a while to get something up and running. My go-to move when hearing about new ideas like this, is to place them on my own personal Gartner hype cycle. For SBOMs, we've already had the innovation trigger, President Biden's Executive Order on improving the nation cybersecurity, check, and we have just started climbing to the peak of inflated expectations, but we still have to get to the peak, go through the trough of disillusionment and the slope of the enlightenment and finally climb to the plateau of productivity. Both George and I think we are at least ten years away from having a fully deployed solution.

Rick Howard: That said we are probably only three to five years away from being able to achieve the compliance milestones that George talked about and that's all positive. I'd like to thank George for coming onto the show to talk about this and we'll put the link to her paper in the show notes for those that want to dive a bit deeper.

Dave Bittner: Next up is my conversation with Chris Hallenbeck, CISO for the Americas at Tanium, our show sponsor.

Chris Hallenbeck: I think for a lot of organizations, they didn't see security as a priority for a long time because they didn't either understand it fully, they didn't know what was expected, they didn't have budget for it, any number of other reasons and even some market reasons, even to this day organizations get breached, you see an impact to their market price on the stock market for a few days maybe and it's back to normal. So from those perspectives it's, it's hard to get people to understand why they should care, why they should do something about it. So now we're seeing regulations step into play to increase that pressure and give them a business reason that they should want to do this, and some organizations take it in a proactive sense, as a market differentiator, to be better about security to differentiate themselves from others.

Chris Hallenbeck: So it's a mix of reasons of how we've gotten to where we are, you know, more organizations now have CISOs so that they're focused on the issues. Unfortunately there's still a lot of organizations that hire CISOs to be the scapegoat when a breach happens. Notice what I said there, when a breach happens. There's no organization out there that's ever going to escape having some form of an intrusion that leads to data loss. It's just a matter of when, not if, something will happen and this, you know, comes into that whole conversation I've had with many CISOs over time is well I've got all this responsibility but none of the authority and that's where the first problem is.

Chris Hallenbeck: A CISO doesn't have the authority to change a system, so they shouldn't own the risk. They own the responsibility for identifying the risk, identifying who the risk owner should be and educating them about the nature of the risk and what they might be able to do to mitigate the risk, they shouldn't be the one that's ultimately responsible for the, the issue unless they, they and their organization fail to identify it all together. If they've identified it, it's up to the business owner to do something about it.

Dave Bittner: It's fair to say that we're in this world where it's fashionable to come at many problems and, you know, that sort of, it's a cliché now, move fast and break things, you know, we'll, let's, let's grab our market share and we'll take care of all the details later. But I, I, I can see that extending to even things like IOT devices where, you know, your average person or even professional shopping around in a place like Amazon who may be price conscious, it's hard to comparison shop security functionality.

Chris Hallenbeck: Oh it is and that's, that's a whole different set of market pressures that keep organizations from putting out products that are secured by design. Most of things in the IOT world are viewed as dispensable. You know I can, if I get a year of use out of it, that sounds pretty good to me, so why would I go and buy the thing that cost five times more that gives me some security features. When that's part of the comparison, almost everyone, when they shop, primarily shops on price, especially for the more commodity devices out there, and that's part of the conversation we all need to have, is how do we change that. What types of things slash regulation might we need to consider to force vendors in this space to start to build in some security capabilities and yes, that might move the price point, but what is the cost of all these incidents to our economy too.

Dave Bittner: Are we in essence shooting ourselves in the foot here, you know, aiming for the short term gains of putting off the security conversation as long as possible while, again, we try to grab that market share?

Chris Hallenbeck: Oh I, I think so. You know especially if you're a start up company or you're a company who, who is in a market where there's low margins to begin with. You're, you're going to be very cost conscious about what you're doing. It's kind of the nature of the beast but again, we have to find ways that we, we elevate this so that we level the playing field. If everyone has to operate with certain considerations in mind when it comes to security then they're still all competing on the, on the same level playing field and that may help in the, in the long run.

Dave Bittner: You know we, we've seen publicity of third party breaches, you know, things like the pipeline incident that happened earlier this year and, and I think that's bringing this issue more to the fore for many folks who hadn't really considered it before, is that leading to deeper conversations? Are, are people having those hard talks with their suppliers, you know, asking but also verifying?

Chris Hallenbeck: For larger corporations I think there's, there's more discussions in this space. I think right now it's still a balancing act but what I'm seeing more of is I'm seeing cyber insurance changing some of the discussion a little bit. There's more and more times where organizations are going through purchasing a policy of renewing a cyber insurance policy and the underwriters are asking more detailed questions about posture of an organization and, "oh well you don't have these things so either your premium is that much more or you don't get coverage all together in some cases." Shy of, of, you know, governmental regulation we're also seeing aspects of the market starting to regulate some of this as well.

Dave Bittner: Yeah isn't that interesting. I mean I suppose in, in much the same way that insurance companies help move the needle on things like fire safety, you know, with fire escapes and sprinklers and those sorts of things that have become standards, part of the building code. Could we see similar things like that when it comes to cyber? Could we see the equivalent of a cyber building code?

Chris Hallenbeck: I think in some ways. You know there's enough now with different security frameworks to describe posture of organizations and start to set some baseline norms of, of what a posture should be. I, I think that's where we'll be headed over time is the carriers can't, can't keep write-, underwriting policies and paying out large sums if they don't also see some change in, in the organizations. 'Cause initially people bought cyber insurance as a way of not addressing the problems and when you're managing risk, you, you can directly address the risk, you can accept it and do nothing, you can transfer that risk and often times that transference could be in the form of buying insurance.

Chris Hallenbeck: In those cases in the early stages of this, it was in lieu of addressing security at all, it was just, "hey I'll buy insurance and if I have an incident then that'll pay me out and I don't have to worry about it." You obviously can't just do that anymore. More and more the insurance companies are saying, "no no, you have to actually have a meaningful security program," there's certain minimums that they're looking at and that's going to keep tightening and, and becoming more succinct over time, and right now it's individual carriers doing their own thing for the most part from what I've seen, but they all seem to be following the same general play book.

Dave Bittner: What do you suppose it's going to take to move these conversations to the forefront, you know, to, to normalize these sorts of conversations taking place?

Chris Hallenbeck: Well I do see more executives now understanding the, the notion of when not if of breaches. Before I think most saw it as a, "we'll worry about it if it happens to us," type of thing. It seemed like such a remote possibility. But the nature of criminal activity especially things like ransomware, it's so commoditized on the criminal side of things that it's truly a matter of when. So that's, that's shifted the recognition of this. This is not a problem that is a distant one, it's here now, we have to deal with it, how we build stuff in and, again, as, as organizations are going to buy their first cyber policy or do a renewal, they're being forced to have a deeper conversation and build a program or face some sticker shock when it comes to their premiums.

Dave Bittner: Is that awareness flowing all the way to the Boards?

Chris Hallenbeck: In some cases. I think, I think there's a lot more discussions around it, more CISOs are also becoming adept at translating the techincal aspects of things into broader business risk concepts that the Board already understands, so it's becoming more accessible in that sense. I'm also seeing more Boards where they have people with cyber knowledge that are a part of the equation as well. So you already have some built in experience on the Board level.

Dave Bittner: Right. Boards are, are seeking out people with that knowledge these days where in the past they may not have.

Chris Hallenbeck: Yeah.

Dave Bittner: Yeah. What do you suppose it's going to take? I mean is it, do we have to have more of these, you know, big public events where people are directly affected? Is this is a, a slow steady cultural change? Where do you suppose we're headed here?

Chris Hallenbeck: I, I think it's a mix of the two. You know you mentioned the, the pipeline and so then that one, it impacted a lot of people in a, a broad geographic area, so that caught a lot more attention. The TSA, The Transportation Security Administration, actually has regulatory authority over pipelines. They've had that regulatory authority but they they really didn't strongly exercise it. It was all voluntary initiatives with the owners and operators of those pipelines and then after this event, TSA, with the help of a sister organization, CISA in DHS, really start, is starting to lay down requirements and, and moving away from purely a voluntarily approach for some of these organizations, so that there's, there actually not just guidance but you must do these things. That's a significant shift.

Chris Hallenbeck: We also saw the President's Executive Order, it sets out a vision for a number of Federal Agencies around cybersecurity. What people don't understand is when an Executive Order goes out, that by itself doesn't change much. It provides a vision and a general direction to all of the different Federal Agencies that can make changes at a regulatory level. And so that's what you're seeing now, is all the different agencies that are a part of that mix, are gong through their rules making processes to draft new sets of guidance and regulation that'll come out into public comment periods, and then it'll start to trickle out as actual regulations for any number of different sectors. First it'll be organizations that sell stuff to the government. So if, if you're any number of software companies, you're going to be impacted 'cause you sell stuff to the government. That's going to be where we'll see the first change.

Chris Hallenbeck: We've seen this sort of thing before where the government uses its buying power to change behavior in the market. It's not often that a company will want to maintain two separate lines of product, one just to sell to the government and one not, so they'll just shift the way they do things across the board, and then the more secured products just start making it into the commercial marketplace as well. It's a slow road and we're, we're talking a horizon of a couple of years probably for some of these things to have material impact.

Dave Bittner: Is it realistic to think that we could see, you know, things along the lines of, you know, like a, a UL listing for cybersecurity or a, or a five star, you know, crash rating kind of thing where we have standards that are easy for folks to understand but actually have the work behind them. The, there is, you know, it's not just marketing.

Chris Hallenbeck: That's going to be the challenge. When it comes to technology it's, it's much the hardware as it is the software, and how much anyone is willing or able to expose because it's an intellectual property, that's going to be interesting to see. I would like to see some, some voluntary efforts around that to help improve things so to help people shop for something better. That's certainly a piece of this. We may have to go the route of some, some aspects of regulation. California has regulations around when you, when you buy certain types of electronics over a certain dollar value, how long the warranty must be for, for certain aspects of it in terms of availability of parts and, and things of that sort.

Chris Hallenbeck: So that solves for some aspects of e-waste, but what would be interesting is using that same model to require that products have to be able to receive, have to be designed in a way that they can receive security updates and that security updates have to be made available for a certain number of years, so that those devices can be protected, they don't just become immediately disposable things. We're actually seeing that, I believe it was Germany just recently announced that an effort for a possible regulation requiring that phones have to receive security related updates for up seven years. It's proposed, it's not anything that's been enacted yet but there's other places that they're, they're experimenting with aspects of regulation as well to supplement.

Dave Bittner: What's your advice to that CISO who wants to be on board with this, who wants to, you know, be part of the, the group of people who are taking the leading edge of, of an effort like this?

Chris Hallenbeck: You know first and foremost when you're going out to buy things, write it into your RFP, write it into your requirements for devices and systems to be upgradeable in some manner and to be maintainable over time. That's one of the first things and then working through supplier risk management to require that your, your suppliers of these things can also articulate how they securely develop their product, so that you don't have back doors in it that we saw with something like SolarWinds or something of that sort and believe me SolarWinds was not the only one and, and it's far from being the last one to be impacted by a supply chain attack. But you have to start asking the harder questions about how a supplier or vendor secures their product developments like life cycle, that's a part of the equation.

Chris Hallenbeck: So for as a CISO writing good requirements up front about, you know, capabilities and, and minimum standards into the product and then doing the evaluation of the vendor agnostic of the product itself to look at their security posture.

Dave Bittner: You know Chris I, I think it's fair to say that in the last couple of years, thanks to Covid, we've seen a huge injection of uncertainly and chaos, you know, when it comes to how people are interacting with their devices, their computers, you know, kids are learning remotely, people having to work from home. Any thoughts on that aspect of it that, you know, things are very much in a, in a state of, of flux right now?

Chris Hallenbeck: Things have been in flux. I think we're, we're settling down into a rhythm at this point around that but we still have the, I guess the, the backlog or the, the debt, if you will, of things that we didn't address. So as organizations pivoted to deal with Covid, they suddenly had work forces that needed to be at home, they had students, so anything that would enable them to be able to attend school or do some amount of work from home was an okay solution, even if it meant not being able to secure those devices. That was okay initially because it just kept the lights on, so to speak. Now we're at that point where it's steady state with all of this and it's time to pay the piper.

Chris Hallenbeck: We need to go back and, and evaluate what is in the mix, what is being used, where does that data now live that maybe it shouldn't, all of those types of questions. We didn't have, you know, people that are working off of MiFi'sfor cellular Internet because they didn't have Internet at home, things of that sort, which most of those devices do have an upgrade path but it's not meant to be centrally managed. I even know some, I know of some school districts that had set up MiFi's for, for distant families so that they could be on it but those devices can't be managed and so what do you do. You just send instructions home and, and give the parent in the, in the household the administrator password to the MiFi to periodically do an update. You know there, there's still questions around how do you maintain these devices over time, 'cause they still do need to be maintained. There's no graphical interface on one of those little hockey pucks for Internet access. On your phone, sure you can tell them to click through these menu options and, and then, and automatically apply an update, that doesn't offer occur. Usually you have to manually trigger it on some of these things.

Chris Hallenbeck: So yeah, there's, there's a lot just for home users, things of that sort, in the workplace, a lot of personal devices, a lot of sending someone to go to Best Buy and buy the first laptop they see, to just have something to work from home with and those devices were never built to a corporate standard. You know it's a matter of identifying those devices, getting them aligned to a corporate standard, securing them, because they probably don't have all of the security services on them that they should have, like a corporate asset normally would. They might not even have been captured in the asset inventory system, because normally purchasing tracks it from the time it's ordered all the way through to the time it's delivered to an end user. So there's process that were bypassed in a number of areas that we, we have to go back and do some clean up work now, you know. We've had time to catch our breath a little bit and now it's time to do that hard work.

Dave Bittner: That's Chris Hallenbeck, CISO for the Americas at Tanium. On behalf of my colleague, Rick Howard, our thanks to Dr. Georgianna Shea from the Foundation for Defense of Democracies for sharing her expertise, and to Tanium's Chris Hallenbeck for joining us. CyberWire-X is a production of the CyberWire and is proudly produced in Maryland at the start-up studios of DataTribe where they're co-building the next generation of cybersecurity start ups and technologies. Our Senior Producer is Jennifer Eiben, our Executive Editor is Peter Kilpe, I'm Dave Bittner, thanks for listening.