The CyberWire Daily Podcast 12.23.21
Ep 1485 | 12.23.21

Log4j updates, including one deadline. Other, non-Log4j, challenges. RSAC postpones itself until June. A German court awards pain-and-suffering damages in a breach case.


Dave Bittner: An update of where things stand with respect to the Log4j vulnerabilities, and a reminder that there are other matters to attend to as well. RSAC postpones its annual security shindig to June, hoping to avoid the COVID. A German court awards a pain and suffering damage for a data breach. Carole Theriault looks at hiring challenges in cyber. Robert M. Lee from Dragos with insights from his own entrepreneurial journey. And a new startup seeks to take lemons and make them into lemonade.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, December 23, 2021. 

Dave Bittner: The Five Eyes - Australia, Canada, New Zealand, the United Kingdom and the United States - have updated their guidance on mitigating the risk Log4j vulnerabilities pose. Their high-level advice has remained pretty stable. They recommend identifying assets affected by Log4shell and other Log4j-related vulnerabilities, upgrading Log4j assets and affected products to the latest version as soon as patches are available and remaining alert to vendor software updates, and initiating hunt and incident response procedures to detect possible Log4shell exploitation. They offer details on how to do all three of those things. 

Dave Bittner: Today is the deadline for U.S. federal civilian agencies to mitigate Log4j vulnerabilities in compliance with the Cybersecurity and Infrastructure Security Agency's Emergency Directive 22-02. The first deadline falls at 5:00 p.m. Eastern Standard Time today. We're not going to list the requirements verbatim here, but they include enumerating solution stacks, evaluating and updating software assets, mitigating risks and, when affected software is identified, assuming compromise. CISA encourages all organizations to take similar steps. This, as we mentioned, is the first deadline. The second one arrives at 5:00 p.m. next Wednesday, when the U.S. federal civilian agencies under CISA's supervision are to report on the affected applications they found and to confirm, quote, "that your agency's internet-accessible IP addresses on file with CISA are up to date, as required by CISA Binding Operational Directive 19-02," end quote. 

Dave Bittner: CISA has also published an open-source scanner designed to detect Log4j vulnerabilities. Quote, "this tool is intended to help organizations identify potentially vulnerable web services affected by the Log4j vulnerabilities," end quote. The scanner was developed from a variety of other open-source tools developed in response to the discovery and disclosure of Log4j issues. It's available on GitHub. 

Dave Bittner: Engineers and online retailer Alibaba were the ones who discovered and disclosed Log4shell, but Chinese authorities have taken issue with the way Alibaba disclosed it. The Ministry of Industry and Information Technology has suspended its data-sharing agreement with Alibaba Cloud, to be lifted, Reuters reports, in six months, if Alibaba mends its ways. The South China Morning Post explains that while disclosing vulnerabilities to vendors first has long been the normal industry practice, a new law encourages Chinese companies to share such discoveries first with the Chinese government. Reuters suggests that such encouragement is of a piece with Beijing's policy of bringing its infrastructure under government control. The Wall Street Journal's brief account of why that courtesy we've come to call responsible disclosure has become an industry norm is clear. Quote, "cybersecurity experts say the general etiquette for researchers who find software flaws is to privately report the vulnerabilities to developers who can fix the issues. Making software flaws or updates public before such patches are in place can set off a race among hackers to take advantage of such issues," end quote. 

Dave Bittner: The Conti ransomware gang is actively exploiting Log4shell. VentureBeat quotes AdvIntel to the effect that signs point to a useful diversification - useful from Conti's point-of-view - in the gang's arsenal. Tech Republic reminds its readers that Conti's style is the now-familiar double-extortion attack - steal the data, render the data inaccessible to their owners and threaten to both withhold decryption and release stolen files unless the victims pay up. 

Dave Bittner: With all the attention Log4j issues are rightly receiving, it's worth recalling that other vulnerabilities continue to undergo exploitation. Nation-state intelligence services remain active and persistent. IT World Canada cites Mandiant to the effect that Nobelium, famous over the past year for having hit the now-fixed issues in SolarWinds, has maintained its high optempo. APT29 has compromised multiple technology solutions, services and reseller companies since 2020. Nobelium is also known as APT29, Cozy Bear, Russia's Foreign Intelligence Service, the SVR, according to MITRE's ATT&CK scorecard. 

Dave Bittner: Positive Security has reported discovering four vulnerabilities in Microsoft Teams. Quote, "the vulnerabilities allow accessing internal Microsoft services, spoofing the link preview and, for Android users, leaking their IP address and DoS'ing their team apps and channels," end quote. BleepingComputer says that Microsoft has considered the severity of the reported vulnerabilities and concluded that they don't represent an immediate risk that requires urgent remediation; they'll be addressed in due time. We note in disclosure that Microsoft is a CyberWire partner. 

Dave Bittner: Concerns over COVID have postponed the annual RSA Conference until June. An email from the cybersecurity conference's organizers said, quote, "in the interest of the health and safety of our community, RSA Conference has made the difficult decision to move RSAC 2022 from February '22 to June 6 through the 9, 2022," end quote. By then, the organizers hope it will be possible to hold their customary in-person event in San Francisco. We hope so, too. It's nice to see you all there. 

Dave Bittner: It may be a first for Europe, JD Supra writes, and it's surely unusual. A German court has awarded a plaintiff damages in the amount of 2,500 euros for pain and suffering experienced as the result of a data breach. 

Dave Bittner: Finally, is America a great country, or what? It’s the land of second chances, where you can put up a shingle and, blammo, you’re in business. Hey, we did it. 

Dave Bittner: So consider, if you will, the career of Mr. Peter Levashov, who gives us an appropriate Hallmark moment in which to close out our podcasting year. You may remember Mr. Levashov as the self-proclaimed spam-king, a Russian hoodlum who was incautious enough to vacation in Spain, which has a good extradition treaty with the U.S. While there, Spanish authorities arrested him on a U.S. warrant and, after a hearing, extradited him stateside, where he copped a guilty plea to charges that included wire fraud and aggravated identity theft. 

Dave Bittner: In July, a U.S. Federal judge sentenced him to time served, plus three years' supervised release, which is far short of the torment and death Mr. Levashov told the Spanish magistrate he faced if he were to be turned over to the Americans. 

Dave Bittner: Anyhoo, Time magazine reports that Mr. Levashov, now living it up in New Haven, Conn., says he’s seen the error of his ways, gone straight and given up hacking. He’s working on a new venture - a start-up he calls SeveraDAO, a fintech outfit working on an automated approach to stock-picking. He said, quote, "the U.S. government gave me lemons. I'm selling the lemonade." 

Dave Bittner: He looks happy in the photograph, as he should be, since we hear New Haven is nicer than, say, Chelyabinsk. And good luck to him in his new life. May he be happy and not defraud anyone. We won’t be customers, but we’ll lift a glass of lemonade to him. 

Dave Bittner: And speaking of celebration, this episode closes out our regular 2021 podcasting season. We’ll have plenty of extras for you next week to amuse and inform, so don’t be a stranger, and we’ll be back to our usual schedule on January 3. As tomorrow is Christmas Eve, we end with holiday wishes to all of you. May Santa Claus or Ded Moroz be good to you, and may your year end with happiness, health and prosperity that carries forward into 2022. 

Dave Bittner: And now, Feds? Get patchin’. If you’re not done by 5 o'clock, Director Easterly will have you on the naughty list. 

Dave Bittner: The hiring situation in cybersecurity remains complicated. On the one hand, you've got organizations desperate to hire qualified candidates. On the other hand, you've got qualified candidates lamenting the fact that so many job listings include unrealistic requirements for entry-level jobs. So why all the confusion? Our U.K. correspondent Carole Theriault has this report. 

Carole Theriault: Being employed in cybersecurity can be exciting, engaging, lucrative, and yet there's a global shortage of expertise. Around the world, we are hearing the call for cybersecurity king- and queenpins to make themselves known. Now, it's not down to a lack of interest, and there have been strong drives to get the next generations to think of cybersecurity as a viable career opportunity. In fact, the number of graduates in cyber is apparently set to double in the next two years in the EU alone. But ENISA, the EU's transnational cybersecurity agency, has raised a flag and said that despite a doubling of the number of graduates in the next two years, the problem will not be resolved. 

Carole Theriault: Meanwhile, over the pond in the U.S., the Department of Homeland Security has just launched its Cybersecurity Talent Management System, CTMS, and its job is to help recruit, develop and retain cybersecurity pros. Microsoft also announced a campaign to bring 250,000 more people into the U.S. cybersecurity industry by 2025 by offering colleges and students alike the support they need to enter the field. 

Carole Theriault: So what is the problem? Why is there a shortage of cybersecurity good folk out there? According to PCMag, one-third of America's cybersecurity-related jobs remain unfilled due to lack of qualified applicants, even though some of those positions offer six-figure salaries. So lack of training seems to be an issue even for the top level jobs. 

Carole Theriault: And here's my two pence-view here. Organizations, especially those entrenched in the digital world, are ever more reliant on algorithms to help with the recruiting process. That means a human might only see the short list that meet every single criteria. And in entry-level positions, jobs often require several years of work experience, proficiency in multiple programming languages and prior involvement in online security communities. I mean, how is a typical new graduate supposed to have all these qualifications? Not everyone can do a degree, get advanced certifications, work experience and provide three references of past work. Or if you're looking at a more senior role, the same problem can happen. You might not have all the exact qualification listed in the job description and the algorithm dumped you. 

Carole Theriault: Now, if you're looking to work alongside a gaggle of other cybersecurity folks, maybe in a cybersecurity company that builds tools to protect others, training opportunities might exist in-house. Plus, there are oodles of people on hand to help the recruiter write a sensible job description. What if you're looking to be hired in a company outside the cyber world? The H.R. team won't necessarily know what you need to know in order to do the job, so they may get an external affiliate, and that external affiliate might pile on a lot of different requirements in a CMA sort of way. 

Carole Theriault: My rather long-winded point here is that the job description and the A.I. used to sort the wheat from the chaff in terms of candidates might actually be compounding the problem. To those of you out there looking for people with cybersecurity chops, review your job descriptions, people. Remember that good, smart people who are engaged and excited to learn may be exactly the kind of people that you want looking after your cybersecurity. So they may not have all the nous right now, but once trained, they'll be unstoppable. And so will you. 

Carole Theriault: This was Carole Theriault for the CyberWire. 

Dave Bittner: And I'm pleased to be joined once again by Robert M. Lee. He is the CEO at Dragos. Rob, it's always good to have you back. You all recently completed your D round of funding, and I have to say I remember - I think I first crossed paths with you back when it was just a handful of you and your colleagues in the DataTribe incubator. Oh, how far you've come. Congratulations on all of your success, but I thought... 

Robert M. Lee: Rob, I thought you would've screwed it up by now. Thanks, Dave (laughter). 

Dave Bittner: I mean, of all people, yeah, really, of all people, I really would have thought it would have been someone else, but congratulations on all of your success. But I was hoping we could get some insights from you, and one of the things I appreciate our conversations is what a straight shooter you are. So a D round - what does that mean in terms of where a company like yours stands and what you hope to do by bringing on the funding? That is, you know, there's two sides to that, right? 

Robert M. Lee: So from what it normally means for a company in general is, you know, as you well know and on your own journey - right? - the seed to A is, hey, we've got a good idea. We think there's a market there. We want to put something towards it. The B, maybe even the C round is, hey, we've got product market fit. Let's start building out the sales teams. Let's go after this. I think it's happening. By the time that you get to a D and you haven't been taken out or acquired yet or something like that, which I still also think a lot of people have misconceptions on - and I get the question all the time - why hasn't Dragos gotten acquired? Because we don't want to be. You know? (Laughter) Like, it turns out you get to say. 

Robert M. Lee: But anyways, but by the time you get to the D round, that is a signal. It's a this is a huge market. This is a huge opportunity. We've got great traction. We can pour the proverbial fuel on the fire. I think people hear like, an, A round like, oh, we're pouring fuel on the fire. Like, what fuel? What fire? Like, no. You got a lot of work to do ahead of you. But the D round is, OK, we're there. And I think that this is a large enough market to go and do something like an initial public offering or an IPO. And for us, we were very fortunate to not only have Koch Industries, who was in our C round, has been phenomenal partners for us, but also have BlackRock come in and lead. 

Robert M. Lee: And when you look at the - what that means and what it means to me, you know, there's been so many companies out there that have downplayed OT, this operation technology or industrial control systems discussion. Every single turn of the corner over the last decade, I've been told by people how it's irrelevant or it's going away, or, oh, there's this IT/OT convergence thing as some crappy excuse on not to do it. You know, there's always some reason. Oh, you can't make it happen. Oh, the asset owners and operators don't care enough to move. Blah, blah, blah, blah, blah. And I think we've been able to show that's not true. But when BlackRock comes in, you know, they're the largest investor in the world and over $9 trillion under management. When they come in, it's a statement. It's a this is a huge market opportunity. And, yeah, this whole OT thing is something that's not only worth doing, but it's the right thing to do, and it's valuable. 

Robert M. Lee: And so anyways, I was very excited about what that says for the entirety of the market, not just the Dragoses of the world. And I think we're very fortunate to have those type of players around the table so that on our journey, we've got the stability and, you know, ability to go where we want to go, which, to me, is being as independent and sticking around as long term as possible. Like, there's no scenario where I don't want to be protecting people and, you know, safeguarding civilization. So yeah, that's what it meant for us. And yeah, the resources are all about doing more of the same - building out the team, doing more internationally. We had our office open in Melbourne. We've got our office opening in Dubai and Riyadh, you know, had a new one in U.K. It's just about hitting the global community. 

Dave Bittner: What about the obligations that come with taking on that kind of investment? How does that affect the day-to-day running of the company? 

Robert M. Lee: Yeah. So nothing managementwise changes, and this is another thing that's, like, hard for people to understand outside these companies. I always get questions like, when do you lose control? Or like - like there is control to be had for the first question. Like, that assumes there's some control on this. And - but what we've always been is governed by our board, myself included, where we think thoughtfully together about the path we want to go down, and we get consensus in doing that. And so that none of that changes. Like, even the D Round didn't add a new board member. We've been doing really well. And so if you start a company and you have a lot of promises but not a lot of delivery, you're going to make some concessions in those term sheets and in the terms you sign. If you're a company that's doing really well and your customers have your back, you don't have to make a lot of concessions. 

Robert M. Lee: And so for us, we've always been very fortunate to have a clean path ahead of us, and nothing managementwise changes. The obligation changes, though, a little bit. When you're taking a $200 million loan - because that's how I view it - when you're taking a $200 million dollar loan, you're telling that person, hey, the market is so big. We're so capable, we're so dedicated that we can return three to 10x on your loan for you and it still be a good investment for the company to go and scale. 

Robert M. Lee: So it's - there's a - it's - I want to say it's no different, but it really is. Like, it's just an increase in the obligation to you, your employees, your customers, making sure that you got to be in it for the long haul. Like, and a lot of companies start out with a good vision and belief. When you get into year five, six, seven years of that journey, it can be taxing, and you've got to be fully dedicated when you're kind of doing those kind of - those numbers and those goals and recruiting a bunch of people onto your staff. You know, we've got, like, 400 people now on the team. It's, you know, it's just a commitment. 

Dave Bittner: Do you ever find that you have to sort of pinch yourself and take stock when you, you know, had this seed of an idea way back when, and here you are with, you know, all - this success, this scale? It seems like you're onto something, right? 

Robert M. Lee: Maybe. No, I - I don't know. I'm very fortunate that we've been able to recruit the people we have. And so I think there's probably too much credence given, if that's the right word, too much credibility given to founders of tech companies. Oh, look at the founder. Oh my gosh. 

Dave Bittner: Right. Right. 

Robert M. Lee: You know, it's like, you know, obviously, I'm biased. I obviously believed in this thing or I wouldn't have started it. I'm probably the one that can't see the best. You know, my bias tells me that, of course, this needs done. So for me to be able to recruit the type of quality of people that we have that come in and go, no, no, I see it, too, and I'm not as biased, but I see this needs to get done, and this is important, and I believe in this - to me, that's the humbling factor. To me, that's the pinch yourself. Like, wow, look at the people we've been able to recruit, and look at the customers that have come along with us on that journey. I think the series D and the money raised is more of the validation after the fact and less the exciting piece of it, with no offense, of course, to the investors. 

Dave Bittner: Well, interesting insights, as always. Rob, thanks so much for joining us. 

Dave Bittner: One final note - we will be taking a break from our regularly published programs from Christmas Eve to New Year's Day. But not to worry - we still have an exciting lineup of great CyberWire Pro content that you won't want to miss, so stay tuned. And happy holidays, everyone. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here next year.