The CyberWire Daily Podcast 2.25.20
Ep 1031 | 2.25.20
Cloud Snooper is out and about. US states’ contracts with Chinese vendors. Voatz receives more scrutiny. Facebook’s troll hunt--no joy this time. Notes from RSAC 2020.
Transcript

Dave Bittner: [00:00:05] Cloud Snooper is infesting cloud infrastructure servers. A China-skeptical advocacy group draws attention to U.S. states' contracts with Chinese vendors that aren't named Huawei. Senator Wyden would like the security company that audited the Voatz to explain the clean bill of health it gave the voting app. Facebook's campaign troll hunt comes up empty, so far, this time. And what we're seeing and hearing at RSAC 2020. 

Dave Bittner: [00:00:37]  And now a word from our sponsor ExtraHop, securing modern enterprises with network detection and response. Security teams today want to say yes to cloud adoption just like they want to support enterprise IoT and edge computing. But the more complex your architecture, the less you can trust your perimeter to keep threats out. When attackers make it into your environment, you need to be the hunter, not the hunted. ExtraHop helps organizations like Home Depot and Credit Suisse detect threats up to 95% faster with the context they need to act immediately. Visit them at RSA for a full product demo of threat detection and response for cloud, multicloud and hybrid enterprises, or learn more at extrahop.com/cyber. That's extrahop.com/cyber. And we thank ExtraHop for sponsoring our show. Funding for this CyberWire podcast is made possible in part by McAfee, security fueled by insight. Intelligence lets you respond to your environment. Insights empower you to change it. Identify with machine learning. Defend and correct with deep learning. Anticipate with artificial intelligence. McAfee, the device-to-cloud cybersecurity company. Go to mcafee.com/insights. 

Dave Bittner: [00:01:57]  From RSA 2020 in San Francisco, the city by the other bay, I'm Dave Bittner with your CyberWire summary for Tuesday, February 25, 2020. 

Dave Bittner: [00:02:07]  Sophos reports finding a sophisticated infestation of cloud infrastructure servers hosted in the AWS cloud. The researchers call it "Cloud Snooper," and they emphasize that this isn't an AWS problem per se. Cloud Snooper is distinctive in the way its command and control traffic rides on top of legitimate, normal web traffic, doing so in a way that bypasses many firewalls. The capability and complexity of the attack, along with its use of purpose-built malware, suggests to Sophos that the threat actor may be a nation-state, or at the very least an unusually capable criminal group. 

Dave Bittner: [00:02:43]  A report from China Tech Threat warns that many U.S. state procurement officials are buying risky technology from Chinese vendors. The group's report mentions Lexmark and Lenovo in particular and urges the National Association of State Procurement Officers to help its members introduce greater security into their acquisition processes. Lexmark denied presenting any such threat, telling Nextgov that the report contains inaccuracies and mischaracterizations. Lenovo hadn't replied to Nextgov by the time they went to press. 

Dave Bittner: [00:03:15]  Lexmark may indeed feel ill-used, and China Tech Threat's warning is based not on any specific behavior on the part of either Lexmark or Lenovo, but rather on the group's observations of state purchases, the permissions the contracts give to vendors and its understanding of China 2017 National Intelligence Law. China Tech Threat recommends that the states ask themselves two questions. Have procurement leaders unwittingly allowed China to access sensitive government and private citizen information? And should state procurement officials eliminate existing contracts with Chinese-owned manufacturers for the sake of maintaining data privacy and confidentiality? 

Dave Bittner: [00:03:55]  It's perhaps worth noting that there are Chinese companies other than Huawei and its smaller rival ZTE, and that such companies may also merit security scrutiny. But it's also worth noting that specific security bad behavior has been alleged of Huawei far more than it has been charged to other firms. 

Dave Bittner: [00:04:15]  MeriTalk says that U.S. Senator Ron Wyden, Democrat of Oregon, has written ShiftState Security to ask what sort of vetting the company applied to its client Voatz when it checked Voatz's voting app. The senator is particularly interested in ShiftState's reaction to an adverse report on Voatz that MIT researchers rendered on February 13. Senator Wyden has asked ShiftState's chief security officer to provide him by March 9 answers to three questions in particular - how many of the ShiftState personnel who audited Voatz had experience in election security, cryptographic protocol design and analysis, side channel analysis and blockchain security, whether ShiftState discovered the same flaws as the MIT team and, if they didn't find those flaws, could they please explain why they publicly said Voatz did well in the audit? And does ShiftState disagree with the MIT researchers' findings? If they do, why? 

Dave Bittner: [00:05:11]  Senator Wyden has also asked NSA, in a letter to Secretary of Defense Esper and Director NSA Nakasone, to conduct a security audit of Voatz, which suggests that he's unlikely to be fully satisfied by what ShiftState winds up telling him. Voatz has strongly disputed the results reported by the MIT researchers, so the responses, if any, from ShiftState will be followed closely. 

Dave Bittner: [00:05:36]  The Wall Street Journal reports that Facebook has been unable to substantiate claims by an outside researcher that some ill-behaved supporters of Senator Sanders were, in fact, either Russian or Republican trolls. Had Menlo Park found evidence of coordinated inauthenticity, Facebook says, they'd have taken down the offending sites, pages, posts and so on. 

Dave Bittner: [00:05:57]  Dr. Chenxi Wang is the founder and general partner of Rain Capital, a cyber-focused venture fund. This Thursday at RSAC 2020, she's part of a panel discussion titled Do Investors Care about Cyber-Risk? She stopped by our booth in Broadcast Alley to share her insights. 

Chenxi Wang: [00:06:15]  RSA is a conference that I've been to for probably more than 10 years now, right? And it used to be just one - in one building and now in two buildings, or several years ago in two buildings now. I tend to prefer the smaller booth where you see the more early-stage companies, you see more innovation. Not to say large companies don't have innovation, but they're more established. You kind of know their technology solutions better. The small ones - you tend to find pleasant surprises - right? - so a new approach to solving a problem or new ways, new perspective looking at a challenge. I find that really interesting. So I usually go to the - I call it the fringe of the conference - right? - the smallest booth. People can't afford to buy a big booth. Those companies I pay more attention to. 

Dave Bittner: [00:07:11]  Let's say someone has that booth around the fringe of the conference and they do attract your attention. 

Chenxi Wang: [00:07:19]  Yeah. 

Dave Bittner: [00:07:19]  And you say, let's have a meeting. What's your advice to that person? How should she prepare to get the most out of your time and not waste your time? And what sort of things do you like to see in those initial presentations? 

Chenxi Wang: [00:07:34]  Great question. So I think as - a pitch to an investor is somewhat similar to a pitch to a potential customer, right? You have to convince them that this is an interesting solution. It's worth your time to dig into. And there's some nuances for investors particularly I'm going to talk in a little bit. But the general framework that I advise people start with is, what is the problem? Why is the problem important? Why are we uniquely qualified to solve this problem? What is the shape of the solution that we bring to you? And then the fifth one for investors is, how big is the market? 

Dave Bittner: [00:08:22]  Well, here at the conference, you are going to be part of a panel discussing the question, do investors care about cyber-risk? What can folks who attend that - what can they expect to hear discussed? 

Chenxi Wang: [00:08:35]  Yes. So this is an interesting panel because the two gentlemen I'm on a panel with - one of them is an analyst from Goldman Sachs and the other one is a former CISO from Moody. So both of them sit from the position of analyzing companies. The reason that the organizer of the panel wanted me is to add that perspective from the other side of the table, versus people who are analyzing companies. And I can tell you from my perspectives of these different roles that I take on these days, investors care a lot about cyber-risks. 

Chenxi Wang: [00:09:18]  So I sit on a board of a public utility and construction company. And being a utility company, they operate critical infrastructure - right? - so consumers depending on their electricity and natural gas services, and that cannot be disrupted. So cybersecurity is very important for that sector of the industry. And their investors, along with investors of other public companies, are increasingly asking public companies to disclose more information about what they do in terms of cyberdefense. And same thing goes with, you know, their increasing pressure on disclosing more information on environmental and sustainability issues, and those all sort of go hand in hand. 

Chenxi Wang: [00:10:06]  As a private investor, meaning that, you know, people who invest in private companies, we care a lot about the operation of the company, whether they take security into consideration, because at some point, as an investor, you want the company to exit, right? 

Dave Bittner: [00:10:23]  Right. 

Chenxi Wang: [00:10:24]  So that means they either become a public company, which will be under the same level of scrutiny, or they have an exit - being sold to a larger company who, in the M&A process, will scrutinize their cybersecurity maturity. Because of these reasons, we investors, whether it's private company investors or public company investors, all care a lot these days about cybersecurity risks. 

Dave Bittner: [00:10:52]  As we look toward the coming year, you know, looking towards the horizon, what sort of trends are you tracking? Where do you think - from an investor's point of view, are there things that you see changing in the short term? 

Chenxi Wang: [00:11:05]  So a few things I think are notable in terms of trends. One is the attitude and treatment towards privacy. I would say three or four years ago, you would be hard-pressed to find a privacy tech company in this conference. And I think this year, you'll see more than a handful of companies that are automating privacy engineering or providing privacy services for data protection. And those are, I think, a notable shift in industry, right? So we - consumers and companies paying more attention to privacy and how to provide privacy to users is a big shift. 

Chenxi Wang: [00:11:52]  Another thing is the sort of general acceptance of cloud computing. Because cloud is here and is here to stay, cloud security is now a very, very visible strategic initiative for many companies. 

Chenxi Wang: [00:12:12]  I am also looking forward to seeing more women at the conference this year. So I'm seeing a lot of new action, new - sort of a new blood into the industry. And people want to take on being a security engineer or being a hacker from different walks of life, which is very interesting to us. And I'm looking forward to more diversity in industry. 

Dave Bittner: [00:12:38]  That's Dr. Chenxi Wang from Rain Capital. 

Dave Bittner: [00:12:42]  Yesterday's big event at RSAC was, as it usually is on opening Monday, the Innovation Sandbox. In this event, the conference honors a particularly innovative startup. They typically begin with a field of about a hundred applicants, then winnow them down to the 10 finalists who present in the sandbox itself. And yesterday, the judges selected 2020's winner. Privacy specialist SECURITI.ai was named this year's Most Innovative Startup in the Innovation Sandbox. Master of Ceremonies Dr. Hugh Thompson called this year's field maybe the strongest we've ever seen. The judges found the problem the company focused on - privacy - compelling. They thought the way in which regulators would drive the market in privacy solutions was particularly important and that SECURITI.ai was well-positioned to ride that market force. 

Dave Bittner: [00:13:31]  The company's theme is transforming privacy operations with robotic operations. Its presentation emphasized that privacy is a basic human right, but data sprawl makes it difficult for organizations to effectively safeguard that right at the individual level. SECURITI.ai argued for an approach in which privacy operations overlaid automation and orchestration atop people-data intelligence. 

Dave Bittner: [00:13:56]  It's worth mentioning the other nine companies selected as finalists - AppOmni, BluBracket, Elevate Security, ForAllSecure, INKY, Obsidian, Sqreen, Tala Security, and Vulcan Cyber. Innovation Sandbox finalists have over the years compiled an enviable record of both effective innovation and business success. Congratulations to them all on some well-merited recognition. 

Dave Bittner: [00:14:26]  And now a word from our sponsor LookingGlass Cyber. Organizations have been playing a dangerous game of cyber Jenga, stacking disparate security tools, point solutions and boxes one on top of the other, hoping to improve their security posture. This convoluted and overloaded security stack can't hold up in today's microsegmented, borderless and distributed networks. As the enterprise network grows, organizations need a flexible protection around their unique network ecosystems. By weaving security into the investments your organization has already made, formerly disjointed tools can communicate with one another to disrupt and distract the adversary without revealing your defenses. With a software-based approach to unifying your security stack, security teams can easily scale their protection to fit their needs with one integrated software solution requiring no specialty hardware. Meet the Aeonik Security Fabric. Learn more at lookingglasscyber.com. That's lookingglasscyber.com. And we thank LookingGlass Cyber for sponsoring our show. 

Dave Bittner: [00:15:40]  And I am pleased to welcome to the show Rick Howard, our latest addition to our CyberWire team. Rick, always great to have you here. 

Rick Howard: [00:15:47]  It's great to be here. 

Dave Bittner: [00:15:48]  We are here at the RSA Conference for 2020. And I wanted to get your insights. Back when you were working at Palo Alto and you would come to a show like this, how did you approach it? When you were deciding what sort of tools you were going to purchase for Palo Alto or checking out the competition - those sorts of things - how did you approach a show this big? 

Rick Howard: [00:16:10]  Well, first, I just love this show - all right? - because, first, San Francisco is one of my favorite cities. And this week, the weather is just fabulous. 

Dave Bittner: [00:16:18]  Right, right (laughter). 

Rick Howard: [00:16:18]  So it's gorgeous. And, you know, the RSA is kind of a mix between Mardi Gras for nerds and high school reunion, right? Anybody that you've ever met in the industry comes here at some point in their career. 

Dave Bittner: [00:16:30]  That is true. 

Rick Howard: [00:16:31]  This morning, exactly, I've been meeting the same person at the same corner at the same time for seven years. And we only see each other once a year, and that's what we do. 

Dave Bittner: [00:16:40]  Somebody needs to write a movie. 

0:16:41:(LAUGHTER) 

Rick Howard: [00:16:44]  So what's great about the RSA Conference is everybody comes here - every vendor comes here, and then every serious cyberdefender comes here. And if you're trying to network with people, this is a way to get a lot of things done very quickly in a very compressed amount of time. The presentations are really good. But most of the work going on here at RSA is not being done in the actual conference session, right? 

Dave Bittner: [00:17:07]  Right. 

Rick Howard: [00:17:07]  It's being done in all the hotels and all the bars around the area. So you get to talk to a lot of different vendors, and you get to talk to a lot of cybersecurity thought leaders right here in San Francisco. So that's one approach. Make time to do those things. And it's a networking event for security professionals. 

Dave Bittner: [00:17:26]  Right. 

Rick Howard: [00:17:27]  The second thing I would say is make time to spend on the floor, right? I know people kind of avoid the floor 'cause you're going to get your badge scanned and then a thousand emails are going to come your way. 

Dave Bittner: [00:17:38]  Right, right. 

Rick Howard: [00:17:38]  But that's where all the new ideas are. And just spend the day, even half a day if you can. Just go see what everybody has. And you're going to be able to see what are the new ideas, what's the same idea being repackaged and what - even the vendors that you're using, you can get the vision statement from what they're going to be doing later on. So make time to hit the floor. 

Dave Bittner: [00:18:00]  You know, one of my favorite things to do at a conference like this is to spend some time around the edges of the show floor... 

Rick Howard: [00:18:07]  Right. 

Dave Bittner: [00:18:07]  ...Where those little startups of - 'cause that's where you're going to find that idea, that innovation that nobody's thought of. And they're just trying to get someone's attention to say, look; we may have a solution here. 

Rick Howard: [00:18:18]  Yeah. And they're very passionate, and you learn a lot by just talking to those folks. You know, that's the two guys and the dog in the garage team, right? 

Dave Bittner: [00:18:25]  Right, right. 

Rick Howard: [00:18:26]  And if it is any good, they're likely to get picked up by one of the big vendors in the next year or two. So that's where you get your first entry into all that. 

Dave Bittner: [00:18:36]  What about for someone who is just starting out in the field? And they're walking around in there. Maybe they're seeing some folks' names they recognize from social media, from publications and things like that. It seems to me like they should not be intimidated to come up and say hello, shake your hand, you know, introduce themselves, try to expand their social network that way. 

Rick Howard: [00:18:59]  Yeah, virus worries notwithstanding, OK? 

Dave Bittner: [00:19:02]  (Laughter). 

Rick Howard: [00:19:03]  But, yeah, everybody here comes because they want to meet the people. And everybody you talked about, all those people who are, you know, celebrities or thought leaders in our industry, they will absolutely spend whatever amount of time they have for you if you want to come up and talk to them. And this is the place to do it, right? 

Dave Bittner: [00:19:21]  Right. 

Rick Howard: [00:19:21]  Because you're trying to learn, and they want the new folks to do well in the industry. So, yeah, please take advantage of that. 

Dave Bittner: [00:19:28]  Anything in particular that you have your eye on this year? Anything you're - you have your sights set on that you're looking to explore? 

Rick Howard: [00:19:35]  Yeah. I'm - I've been studying the SASE development. In fact, when you say SASE, you should really say sassy or, you know... 

0:19:44:(LAUGHTER) 

Rick Howard: [00:19:44]  ...Sassy. 

Dave Bittner: [00:19:45]  Wasn't that something from "The Flintstones?" Wasn't it Dino's girlfriend was Sassie? 

Rick Howard: [00:19:48]  Was it Sassie? I think you're right about that. 

Dave Bittner: [00:19:50]  Was it Sassie? Sorry. 

Rick Howard: [00:19:50]  No. 

Dave Bittner: [00:19:51]  We're dating ourselves here, Rick (laughter). 

Rick Howard: [00:19:52]  I'm totally going to use it in all my slides from now on, though. 

0:19:55:(LAUGHTER) 

Rick Howard: [00:19:57]  And I think SASE - I've been interested in it because I think it's going to disrupt how we all receive security services in the future. 

Dave Bittner: [00:20:04]  OK. 

Rick Howard: [00:20:05]  It's changing the paradigm. So I'm looking for people talking about that, any discussions about that. That's... 

Dave Bittner: [00:20:10]  SASE stands for? 

Rick Howard: [00:20:11]  Secure Access Service Edge. It's a horrible name. 

Dave Bittner: [00:20:14]  OK. 

Rick Howard: [00:20:15]  Gartner coined it back last August. 

Dave Bittner: [00:20:18]  OK. 

Rick Howard: [00:20:18]  There have been companies delivering those services for the last three or four years, but it really hasn't caught on as a movement yet until Gartner gave it a name, so SASE. And what it really is is changing how we deliver the service. You know, when I did this back in the old days, we would build a security stack and put it everywhere our data was. We would trombone data from remote locations back through the security stack. And it's really not very efficient. 

Dave Bittner: [00:20:44]  Yeah. 

Rick Howard: [00:20:44]  SASE is really a combination of MSSPs but a cloud vendor that has a security stack that they manage in the cloud, right? But you run your policy on it, OK? And instead of tromboning all the traffic out from wherever you are, your first hop, wherever you are, is through a SASE vendor in the cloud. So if I'm a remote user at RSA, I don't run my traffic back to headquarters. I go to the local node here in California. It goes through my security stack, and then it goes to the internet if that's where it needs to go, right? 

Rick Howard: [00:21:16]  Yeah. So - and I - it's the perfect solution, I think, for small- to medium-size businesses. And for big business, like Fortune 500 companies, I think it's probably pretty good this year for nonessential stuff. 

Dave Bittner: [00:21:30]  OK. All right. Well, good insights. Rick Howard, as always, great to have you on board. Nice to talk to you. 

Rick Howard: [00:21:36]  Thank you, sir. 

Dave Bittner: [00:21:41]  And that's the CyberWire. For links to all of today's stories, check out our daily briefing at thecyberwire.com. And don't forget you can get the daily briefing as an Alexa flash briefing, too. 

Dave Bittner: [00:21:52]  Thanks to all of our sponsors for making the CyberWire possible, especially our supporting sponsor ObserveIT, a Proofpoint company and the leading insider threat management platform. Learn more at observeit.com. Funding for this CyberWire podcast is made possible by RSA Conference, where the world talks security. Through global events and year-round content, RSAC connects you to cybersecurity leaders and cutting-edge ideas for a safer, more secure future. Learn more at rsaconference.com. 

Dave Bittner: [00:22:25]  The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Rick Howard, Elliott Peltzman, Puru Prakash, Stefan Vaziri, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.