Cyber confidence: Knowing what you have and where it is.
Rick Howard: Hey, everyone. Welcome to "CyberWire-X," a series of specials where we highlight important security topics affecting security professionals worldwide. I'm Rick Howard, the chief security officer, chief analyst and senior fellow at the CyberWire, and today's episode is called "Cyber Confidence: Knowing What You Have and Where It Is." A program note - each "CyberWire-X" special features two segments. In the first part, we'll hear from an industry expert on the topic at hand. And in the second part, we'll hear from our show sponsor for their point of view. And since I brought it up, here's a word from today's sponsor, LookingGlass Cyber, a global leader in cybersecurity.
Rick Howard: I'm joined by Jaclyn Miller, the head of infosec and IT and chief security officer at DispatchHealth and also a long-running visitor here at the CyberWire Hash Table. Jaclyn, thanks for coming on the show.
Jaclyn Miller: Thanks, Rick. Happy to be here.
Rick Howard: So today we're talking about visibility or attack surface management. So let's start with some basics. When you think about those issues at DispatchHealth, what does it mean to you? What do you - what are you trying to do?
Jaclyn Miller: Yeah. So I'm thinking about the different domains of our attack surface and what are our different opportunities or vectors to be able to gain visibility of those different surface areas. With a company like DispatchHealth, where we are literally changing how health care is delivered - in health care, the principal idea arose - you're largely dealing with a campus or offices, and all of the patients come to that campus or office to receive care. We are bringing health care into the home. A lot of the concerns that have come up with COVID and remote work are doubly so for us because we are sending our providers into patients' homes, having to deal with mobile connectivity and networks, potentially, that we don't have control over.
Jaclyn Miller: And so we have to become very creative about leveraging flexibility but also leveraging many different tools in order to gain visibility, particularly with endpoints. All of those endpoints are then connecting back, of course, to the different applications that are running in the cloud, public cloud environments or SaaS applications that are protecting PHI - patient PHI. So we are thinking about a very complex attack surface. And managing all of that visibility into one pane of glass is, of course, very challenging because all of those different services are very different from a technology perspective.
Rick Howard: So a couple of things before we dive deeper into this - first, you mentioned an acronym there - PHI. What does that stand for?
Jaclyn Miller: That is private health information. So under the HIPAA laws, HIPAA regulations, that is the 18 elements that make up a patient's chart or pieces of information that is related to patient health care.
Rick Howard: Did this delivery model that you guys are trying to do at DispatchHealth - did that start because of COVID, or it helped it because everybody was locked in their rooms, or you guys were already down that path - or what was the impetus there?
Jaclyn Miller: Yeah. We were already down that path well before COVID. I think COVID really just accelerated a trend that was already in progress with health care in the home. We're in the third year of the pandemic, and the idea of delivering care in the home in many different facets than prior to the pandemic has become widely accepted. And we're seeing very large companies - everyone from Amazon to CVS, United, Humana, et cetera - being very, very interested in this model of care.
Rick Howard: So you guys are startup. And the CyberWire's a startup. And you would think that because we are so small, that we could have a handle on where all of our data is. But in truth, it's scattered to and fro in what - I've heard you describe it as data islands. So can - you were talking about that a little bit before I sidetracked us on COVID - but can you describe the complexity of that situation when your data is scattered all over the place?
Jaclyn Miller: On one hand, being a startup means that we can be flexible and adopt new technologies that more established organizations have trouble really accessing and leveraging. But on the downside, that means that we're often moving so fast that piecing together the technology that we use or interconnecting that technology can be often missed. And I think that's how we developed this idea of data islands.
Jaclyn Miller: We have a specific business problem or use case that we're looking to solve, and we deploy technology to specifically solve that problem. But we don't spend the time to interconnect that, you know, technology or sometimes a suite of technology or tools into our existing operational tools and landscape. And I think in startup, when you're making a lot of tradeoff decisions, having security monitoring, security visibility or even just operational visibility into those data islands is often left off the project plan, and it ends up being an after-action review or a finding in, you know, a risk assessment that we perform, where we have to go back and figure out how to make these things work. So it's not part of the technology selection. And I think that's probably the No. 1 reason why we end up with data islands, is 'cause we don't think about that integration from a visibility standpoint. We only think about interoperability from the business standpoint.
Rick Howard: Well, I don't think it's just a security thing either. I mean, you know, I'm a relatively old-timer compared to you. And, you know, when I started doing this back in the '90s, we just had one island. You know, it was just the data center, right? But as the cloud started to take over in the, you know, mid-2000s, let's say, all of a sudden, our data was exploding or being delivered or distributed all over the place. So, you know, we got cloud providers, like Google and Microsoft and Amazon. And then just fast forward to, you know, five years past that, maybe, it became acceptable to use your personal work phone to do work, right? I mean - and some organizations got there sooner than others, but I think pretty much that's kind of the standard practice these days.
Rick Howard: So it's big cloud providers. It's mobile platforms. And plus, I'm sure you guys are the same as us. As a startup, you know, we're using 100 SaaS applications to run the business, so data's distributed through all that. So that's what I mean by data islands. And like you said, there's no cohesive connectors, you know, that makes you - that gives you visibility of all that. I think that's where the complexity is. Is that what your experience is, too?
Jaclyn Miller: Yeah. Definitely it is. And you know I think the first place where things start to get stitched together is always around access, right? Centralizing and making access administration easier when you've got so many SaaS applications is an intuitive next step and a good place to start from visibility standpoint. But then when we start putting on our security hat - so we think about what type of data, what's the classification, have we broken down - within the application itself - do we have RBAC deployed, not just of getting SSO initially deployed - that's where that level of visibility starts to get really, really cloudy. And it's very hard. You know, we're back to spreadsheets to keep track of all of that information.
Rick Howard: Here we are, 2022, and roll out the RBAC spreadsheet, right?
Jaclyn Miller: Yep.
Rick Howard: So you mentioned RBAC. Tell me what the acronym stands for, for the audience.
Jaclyn Miller: Yep - role-based access control. So that's where we are looking at fine-grained access controls to give people access only to the data that they need within a specific application.
Rick Howard: And which is the central piece to any kind of zero-trust strategy that you're trying to roll out and also important to any kind of identity and access management program, so that's a model for us. But I would say from medium to large organizations, they can start on this path, this identifying the attack surface, with tools they already have in place. You know, most any organizations of size have a few firewalls deployed. And modern-day firewalls are application firewalls or layer 7 firewalls. And any network traffic that goes through one of those devices is classified as an application.
Rick Howard: Like, going to Facebook is an application, using Gmail, watching Netflix, you know. Even pinging a host - in the firewall's eyes, that's an application. So if you configure the firewall correctly, you can get at least a preliminary view of the network flow and your environments, regardless of the data islands. But for you and me - you know, that doesn't work for small organizations. Many startups and small organizations don't even have firewalls deployed. So what do those organizations do?
Jaclyn Miller: Yeah. There's a couple of ways to do it that I found - at least to approach that level of maturity. One is thinking about conditional access and starting to configure that with your IDP, your identity provider. And so, you know, for example, if you're using Azure AD and you start to put in kind of those application aware rules where, even for SaaS applications, when you're SSO integrated, if you're able to confirm that the user is coming from a secured device before they access the application, then you can start to become more aware of times when, you know, you get alerts where somebody is accessing something from an unideal location. You'd be able to differentiate that traffic. So it's more getting aware of the things that you care about.
Jaclyn Miller: It doesn't necessarily help with what you talked about with the firewall-based access. Is my provider accessing - or my employee accessing Facebook when they should be doing work? It's not going to give that level of visibility. For that, really, having, you know, some type of tool in place that does URL filtering to give the - more understanding about what's going on in the browser is almost required. So things like CASB, Zscaler are tools that I think - for smaller organizations, putting that into your roadmap is really, really important because it is kind of the replacement for the firewall-based approach.
Rick Howard: Yeah. But like you said, you know, you and I are small. I have no money to do any of that. So anything we're doing in this area, we're home-growing it, right? We're...
Jaclyn Miller: Yep.
Rick Howard: We're doing it on our own. So is that your team writing their own software, or are you dishing that out to the CIO team? Or - you are all those things. But how do you manage that where you are?
Jaclyn Miller: We're largely piecing together the tools that we have today to create better visibility. And then because we are within the healthcare industry, we are heavily regulated. So those are tools that we're putting on our roadmap, and we're trying to figure out what are the trade-offs that we have to make - you know, the difference between hiring somebody next year versus bringing in a new tool like that to help us as we scale. So eventually we're going to hit the limit of what we can do with writing our own solutions, internal solutions. And we'll need to go to something that's more enterprise grade.
Rick Howard: Is that one of the cases where compliance laws help a startup? Because it gives you more ammunition when you go to the boss and say, hey, I need to build this thing. I need tools to do this. Does that help at this stage, or is it still more of a - I don't know - more of a headache for everybody?
Jaclyn Miller: I think it's probably a bit of both, to be honest.
Rick Howard: (Laughter).
Jaclyn Miller: At this stage, we're in that grey zone where we're - we have - we are a large startup, but we aren't quite there yet. So it definitely does help because there is a focus on protecting patient data across the organization. That is a key goal and metric of ours. But we also have to be good custodians of the business and understand that, you know, if we're making a decision between being able to provide patient care and taking on this type of initiative, then the decision is always going to be to take care of the patient first.
Rick Howard: So your experience has been in charge of security at a large organization. Now you're at a startup. So you've seen both sides of the coin. Any advice you can give to newbies out here that are trying to figure this attack surface thing out - any recommendations?
Jaclyn Miller: Meet your organization where they are. You kind of have to take a really strong look in the mirror and recognize where your business is at. If you come at the board or your senior management hard on these topics, it's complex. It's difficult for them to understand because it's not the world that they live in. So find ways to translate these types of projects into corporate objectives as well. The second would be to use what you have to the best of your capability. And be creative and scrappy with what you have.
Jaclyn Miller: I like to use the three points of data rule. It's like if we can get three points of information or visibility on something, then we have pretty high fidelity. And you can actually do that with a lot of tools, whether that's endpoint management tools, you know, our IAM tools and many other things that are probably already in your suite. And it's just a matter of piecing them together, which does take time and focus in your security roadmap. If you can get three points of data on any user asset, then you have very high likelihood that it's accurate, and you really know where the asset exists or where the user exists and what its status is.
Rick Howard: I was just listening to a podcast, and the guest was John Kindercag. And he was trying to explain what zero trust was. You know, he's the father of zero trust back in the day. And he was saying that most people get the idea of zero trust wrong because they're assuming you have no trust. He says, no, no, no. We're trying to get confidence in our trust, that we trust that device, that person is who they say they are or is what they say they are. And using your three point data rule, that gives you high confidence that you get there. I think that matches nicely.
Jaclyn Miller: It does. And it really helps with the zero trust roadmap, which is enough of a buzzword at this point that I think executives outside of IT and business leaders outside of InfoSec understand. They at least, you know, they want to say that we're on a zero trust roadmap or we've got it. So having that three points of fidelity really helps implement zero trust a lot faster and is a huge underpinning to being able to achieve it.
Rick Howard: Good stuff, Jaclyn. But we're going have to leave it there. That's Jaclyn Miller, the head of InfoSec and IT and chief security officer at DispatchHealth. Jaclyn, thanks for coming on the show.
Jaclyn Miller: Thanks so much. Appreciate it.
Rick Howard: Next up is my colleague Dave Bittner's conversation with Cody Pierce, the chief product officer at LookingGlass Cyber.
Dave Bittner: Cody, today we're talking about this whole notion of visibility into folks' multi-cloud environments, those sorts of things. Can we start off with just some high-level stuff here? Can you give us a little bit of the lay of the land of kind of where we find ourselves and what led us to this point?
Cody Pierce: I think there's a couple of drivers to where we are at currently and what I think people in cyber and generally in business are struggling with from a security perspective. One is that there's, you know, massive digital transformation going on. So most businesses or, you know, most of the large organizations are moving to the cloud, transforming their business so they can reach their customers anywhere their customers are, and providing that access to, you know, work from home or remotely, internationally. And so they're expanding their IT footprint.
Cody Pierce: A lot of that is single cloud adoption as they move from a traditional on prem or maybe hosted or co-located IT stack to an Amazon or a cloud provider. But 60%, last I checked, actually are adopting multi-cloud. So not only are you moving to something that you may have had a lot of control over, and you might have had a closet of IT assets and a firewall - and it wasn't connected to the internet directly - to a cloud provider, where they have hundreds of services from databases to compute and more, which, by default, a lot of times, it's connected to the internet. And so that expansion is what we kind of - is what we consider the attack surface, that expansion of IT assets connected to the internet from an external attack surface. And then that complexity of your IT moving to something that is a little bit more out of your control, a lot more complicated in many cases and a lot - you know, a lot more room for error.
Cody Pierce: And I think there's a general worry, which is a very validated worry, that this huge transformation - they may not have the visibility or the security controls or analysis of that complexity as they adopt these new platforms. When you add in multi-cloud - while moving to the cloud is - generally, the cloud providers are similar in the services they offer, but a lot of the built-in security is different per provider. So Amazon's - what they would recommend their security stack looking like is different than what Microsoft would recommend their security stack. So you have an extra problem of - you're having to learn more. You may be managing multiple security stacks, and it's, in a lot of cases, kind of a new environment for your IT and DevOps people. And so that's just created a visibility problem first and foremost.
Cody Pierce: And I'm a big believer in cyber hygiene. I'm a big believer that the fundamentals matter, often more than some of the more extreme or technical or cutting-edge things in cybersecurity. And for me, one of the pillars of that cyber hygiene is good visibility. And it's a paradigm shift. It really is. And I think a lot of CISOs, and now more and more of the board or the C-suite, are asking, do we have visibility into our IT assets as we move to, you know, cloud and as we digitally transform the business? And I'll say one more thing about that. This digital transformation - which I just kind of define as, you know, moving to more of a, you know, decentralized or cloud-based or data-rich environment, something like that - is good for business. It's - for - in my opinion, most businesses need to take that leap. It has so many benefits from data to cost to speed that it's good.
Cody Pierce: And so cybersecurity is always at the point where we have to understand and support what is a positive advancement in technology. And that creates the, you know, dynamic of trying to secure what is moving fast and doing that really well. And I think that is really kind of one of the fundamental things. You know, I could add that working remote or working from home or being international is secondary, but a lot of those problems are, again, tied to the fact that you're no longer just on a VPN connected to a colo. I think - I may be getting these stats slightly incorrect, but, you know, 80% of corporate traffic is now going over the internet. You know, you're not in a studio, plugged into a LAN. And I think those are all kind of working together, and people are - really just kind of need to retool and kind of get their hygiene down first.
Dave Bittner: Is your sense that there's a general awareness that this is an issue of these specific risks?
Cody Pierce: I believe there is an understanding of the risk. Over the last decade, there's been more visibility into the cyber investment and outcomes in most large organizations. So I think the conversations happen, and that's a good thing. What I would be curious about is the understanding at the more technical level or more operational level and understanding if Amazon is going to cover all of your security needs and that's factored in your transition to the cloud or maybe choosing that provider - and if you believe that, you may be missing a lot of the work that needs to go into actually creating that. So I think there's definitely an understanding. I'm not sure if - because it's such a different environment, I'm not sure if the IT people are as experienced managing that versus a colo or on-prem solution, if they understand what security the cloud platforms are actually providing and, you know, how you need to invest to augment that. And that includes rewriting your security policies and changing your risk assessment and risk appetite for this new, more dynamic world.
Dave Bittner: To what degree are we dealing with, you know, folks being kind of comfortable and maybe even, you know, blinded to things that are happening within their organization? I guess what I'm saying is, is this a situation where having a fresh set of eyes come in to take a look at things could really be to an organization's benefit?
Cody Pierce: Oh, absolutely. I would never - I would always have different perspectives. I mean, it's good to have more help and more perspectives and more vantage points when you're collecting data or assessing the security of a business. And frankly, when you do adopt more of these cloud services - Amazon has over 150 different individual services - the scale is something where you likely do need help at least for some time.
Cody Pierce: Now, if you are - if you have a massive security budget and you're bringing people in that are experts in some of these things, then that's great. You still probably want another perspective. And the good thing is that if you can get those multiple perspectives with your own people that understand the environment and the problem, then that feedback from the second party is actually going to be more meaningful. They'll know what to do with it. So you have different vantage points and different places that you need to collect the visibility data or exposure data or threat data. And the more of that you have - if you do it in the right way, then I think you build up more confidence in what you as an organization need to invest in and what you need to prioritize.
Dave Bittner: What's been your experience in terms of getting buy-in from, you know, the folks who'll have to sign off on this sort of initial effort but then, you know, the ongoing part of it as well?
Cody Pierce: The initial part - so I think there's definitely buy-in for bringing in or augmenting security teams that are making a large change in adopting the cloud. I think people have - are, you know, are realistic that this is a potential risk, like it is a business risk moving, you know, your IT to a different platform, and a cost risk. So there's an appetite for that. Now, the complexity of the cloud means that, I believe, while potentially budgets have increased to support the cloud adoption, it may not be well understood that you have to be even more aware of the area of security you're going to invest that expanded budget in because you can't cover everything right off the bat.
Cody Pierce: And with - what LookingGlass does is we try to provide that buyer multiple different ways that they can partner with us and work with us and, you know, get value out of one of our solutions. And then as they grow and they need more, they need something different, you know, we can work with them there. So it's a nuanced - I think it's a nuanced question. I don't think we can generalize too much, but I generally see that as how it breaks down, that it's a good thing that budgets are increasing. We just have to make sure that we are using that precious dollars to invest in something that's going to have the most bang for the buck.
Dave Bittner: What are folks experiencing on the other side of this? You know, once they get a handle on this and it becomes a regular part of their operations, what sort of things are you hearing?
Cody Pierce: I like to point to DevOps and agile. Once you're a little bit more established, you start generally increasing automation, increasing the use of platform as code or infrastructure as code. And so you have these moving parts that your developers, engineers or IT are adopting that help them be more consistent and help them build faster and all those other good things. And I think what we see on that side is people want to - they may have an idea of a, you know, a baseline, a secure baseline, and that's what they want to stick to. They want to make sure that they don't deviate.
Cody Pierce: So we see a lot of people, for instance, in DevOps, where an engineer or a team is building something, and they're deploying containers or assets in the cloud, and they may not realize that their development environments that they're pushing to the cloud are not as secure or not following the same principles that their production systems may follow. And you get, you know, a asymmetry, where attackers are very capable of finding out that you have developer systems that have lax security, and they'll go after that versus your production systems. And that deviation from a baseline or the expected security policies that you have - and that includes controls, authorization, identity management - that deviation becomes more important. So we want to be able to tell you that we just discovered, you know, a new database in your Amazon cloud that isn't - does not have the firewall policies.
Rick Howard: We'd like to thank Cody Pierce, the chief product officer at LookingGlass Cyber, and Jaclyn Miller, the chief security officer and head of InfoSec and IT at DispatchHealth, for helping us get some clarity about gaining network visibility. And we'd like to thank LookingGlass Cyber for sponsoring the show.
Rick Howard: “CyberWire-X” is a production of the CyberWire and is proudly produced in Maryland at the startup studios of DataTribe, where they are co-building the next generation of cybersecurity startups and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. And on behalf of my colleague, Dave Bittner, this is Rick Howard signing off. Thanks for listening.