The CyberWire Daily Podcast 9.16.16
Ep 186 | 9.16.16

VIPs scrub email, cyber war vs cold war, industry news and more.

Transcript

Dave Bittner: [00:00:03:17] VIPs everywhere rush to delete their emails before Fancy Bear gets her paws on them. Opinion leaders rumble about the Cyber War having picked up where the Cold War left off. Election security concerns may prompt US Senate hearings. British companies take a look at operations in the Baltimore-Washington area. Industry notes include VC rounds, M&A activity, a new automotive cyber security venture, and the announcement of 2016's SINET 16. And the US House doesn't think too much of a Snowden pardon.

Dave Bittner: [00:00:38:00] Time to take a moment to tell you about our sponsor, Recorded Future, the real time threat intelligence company. Recorded Future's patented technology continuously analyses the entire web to give cyber security analysts unmatched insight into emerging threats. We read their dailies at the CyberWire and you can too, sign up for Recorded Future's cyber daily email to get the top trending technical indicators crossing the web. Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware and suspicious IP addresses. Subscribe today to stay ahead of cyber attacks. They watch the web so you have time to think and make the best decisions possible for your enterprise's security. Go to recordedfuture.com/intel to subscribe for free threat intelligence updates from Recorded Future. It's timely, it's solid and it's on the money. That's recordedfuture.com/intel. And we thank Recorded Future for sponsoring our show.

Dave Bittner: [00:01:39:11] I'm Dave Bittner in Baltimore with your CyberWire summary and week-in-review for Friday, September 16th, 2016.

Dave Bittner: [00:01:46:19] Nearly every prominent person with a Gmail account has been well and properly spooked by the hacking of former US Secretary of State Powell's emails. The New York Times reports that a news anchor, a senator, a former national security official and others are busily deleting emails, changing passwords and so on. The emerging consensus of observers is that the Powell doxing is the work of Fancy Bear, the nom de hack US security vendors have given Russia's GRU.

Dave Bittner: [00:02:13:08] Such breaches are seen by observers as involving failures of digital hygiene, or less charitably, what eSecurity Planet calls "infosec hubris." A senior NSA official pointed out earlier this week that the high profile breaches various enterprises have sustained over the past two years involved basic oversights and not exotic zero-days.

Dave Bittner: [00:02:33:19] A Washington Post op-ed tells us that the Cyber War has replaced the Cold War and that the two conflicts have a certain similarity.

Dave Bittner: [00:02:41:09] One difference is that information operations have probably grown markedly more effective. We heard a good bit about this at Invincea's Beat the Breach session in Washington yesterday.

Dave Bittner: [00:02:51:11] Richard Clarke, former White House Cyber Advisor, said, quote, "The Russians are clearly very active in this election and they don't seem to care that we know it, they're increasingly bold and this is a disturbing change," end quote. He noted the new possibilities of deception. If the first set of emails leaked are genuine, as it appears the Powell emails are, that predisposes people to regard the other leaks as also authentic. But why should they be? Releasing the real documents is just the first move in an information ops confidence game.

Dave Bittner: [00:03:20:20] In any case, there are calls in the US Senate for a full investigation of alleged Russian attempts to affect the November elections. The US electoral system is sufficiently diverse and distributed that its global subversion is very far fetched but many observers fear effective local hacking.

Dave Bittner: [00:03:37:10] On Tuesday we attended the Billington CyberSecurity Summit, which also met in Washington. There was a striking emphasis on the part of many speakers that cyber security would most benefit from attention to basic digital hygiene and sound management practices. Those who spoke this way prominently included Ciaran Martin, CEO of the UK's new National Cyber Security Center, and Tony Scott, the US Federal CIO. Scott, in particular, called out the need to modernize, upgrade and replace legacy IT systems, as both a matter of economy and security. Such upgrades would, Scott hoped, free information technology from old technology, organizational and budgetary paradigms, that have impeded progress toward better security.

Dave Bittner: [00:04:20:23] This week has seen a fair bit of industry news, not only are companies from the UK clearly looking into establishing a presence in the Baltimore-Washington area, but several startups have attracted fresh rounds of venture funding. LogRhythm has picked up $50,000,000, risk-rating shop, BitSight, $40,000,000, industrial control system security vendor, Claroty, $32,000,000, Cato Networks, $30,000,000, and DDoS mitigation outfit Zenedge $6,200,000.

Dave Bittner: [00:04:51:01] There's also been some M&A activity. Verizon has bought IoT security company, Sensity, and Ant Financial has picked up biometric shop, EyeVerify. Aurionpro Solutions has finalized its acquisition of Los Gatos-based Cyberinc.

Dave Bittner: [00:05:07:02] And there's an interesting new automotive cyber security company forming, Volkswagen is teaming up with three Israeli experts to form Cymotiv, which will address the security of connected cars. Rod Schultz, VP of Product at Rubicon Labs, told the CyberWire he applauded the decision to form Cymotiv, he thinks they should focus on creating a secure identity for the hundreds of electronic control units now built into cars everywhere.

Dave Bittner: [00:05:32:19] Search and analytics company, Elastic, has bought Prelert, an innovator in behavioral analysis. The play is thought to represent Elastic's bid to disrupt big data house, Splunk. The acquisition is interesting also because Prelert was announced today as one of 2016's SINET 16, the Security and Innovation Network's annual honor role of cyber innovators. The other winners are, in alphabetical order, BlackRidge Technology, Contrast Security, CyberX, DataVisor, Digital Shadows, Interset, Menlo Security, Ntrepid, Phantom Cyber Corp., Post-Quantum, ProtectWise, RiskSense, SafeBreach, ThreatQuotient and Vera. Congratulations to them all. You'll find links to accounts of the SINET 16 and why they won in today's issue of The CyberWire Daily News Briefing.

Dave Bittner: [00:06:23:23] And finally, Oliver Stone's film, Snowden, it was shot in color, but according to Wired's review it offers a black and white story quite devoid of so much as a shade of gray. Oliver Stone's Snowden has convinced some that its eponymous subject deserves a Presidential pardon. Some, but far from all. Among the unconvinced are the Republicans and Democrats of the House Permanent Select Committee on Intelligence who have just sent the President a letter expressing strong exception to the petition for pardon.

Dave Bittner: [00:06:53:07] So what's the betting? Which is likelier? A pardon for Ed Snowden or the replacement of the Star Spangled Banner by City Escape from Sonic the Hedgehog? Remember, Sonic fans, make America fast again.

Dave Bittner: [00:07:10:07] Time to take a moment to thank our sponsor, E8 Security. You know, to handle the unknown unknown threats you need the right analytics to see them coming. Consider the insider threat and remember that an insider threat isn't necessarily a malicious actor, sometimes it's a well intentioned person who's careless, compromised or just poorly trained. Did you know you can learn user behavior and score user's risk? E8 can show you how. Did you know, for example, that multiple Kerberos tickets granted to a single user is a tip-off to a compromise? E8 can show you why. Get the White Paper at e8security.com/dhr and get started. "Detect, Hunt, Respond." E8 Security. And we thank E8 for sponsoring our show.

Dave Bittner: [00:07:56:13] And joining me once again is Dale Drew, he's the Chief Security Officer at Level 3 Communications. Dale, it seems like every day we're seeing more news about healthcare record leaks, what are some things that enterprises can be doing to protect these particularly valuable assets?

Dale Drew: [00:08:12:18] You know, healthcare records are actually ten times more valuable than credit card data on the black market. There is a definite, tangible market for gaining unauthorized access to medical records and selling them on the black market. We really recommend a few things, you know, we recommend some, some fairly traditional security mechanisms in the healthcare industry, more and more healthcare devices are being connected to the healthcare ecosystem, more and more diagnostic systems, all those systems run, you know, versions of relatively vanilla operating systems and they come with exposures. So making sure that those systems are properly patched and up to date and monitored for security access and security controls. Not many people, you know, and practitioners, really put a lot of thought into making sure that, you know, healthcare monitoring systems are being properly patched and properly monitored, they're using them as appliances. The other one that we're recommending, especially in cases like this, is to ensure that the healthcare monitoring appliances are really separated from the healthcare user population. You know, people are being able to get access to these devices, you know, the vector is, is these healthcare devices, and then from there they're then able to gain access to things like desktops where the healthcare records are stored. So we really recommend segmenting or separating those sort of networks so that they can't talk to each other, or they talk to each other through a security policy enforcement infrastructure that can properly check the security of those systems.

Dave Bittner: [00:09:50:05] And what about from the other direction? I mean, what about as a consumer? What can I do to make sure that my healthcare records are as protected as they can be?

Dale Drew: [00:09:58:13] You know, as a consumer, what I would say is, you know, is, is you can con-- you can reach out to your healthcare provider and ask him what security controls that they have in place, ask them what-- if there's any third party auditing that's being done on the healthcare provider to validate the controls and if there's any serious or significant findings as a result of that last audit. You'll be surprised how, how forthcoming those healthcare providers will be and how transparent they are and it really helps provide some education to the end user about how that information's properly protected.

Dave Bittner: [00:10:33:16] Alright, Dale Drew, thanks for joining us.

Dave Bittner: [00:10:37:18] I'd like to take a break and tell you about an exciting CyberWire event that's coming up soon, the third annual Women in Cyber Security Reception, taking place September 27th at the Columbus Center on the beautiful Waterfront in downtown Baltimore. The Women in Cyber Security Reception highlights and celebrates the value and successes of women in the cyber security industry. The focus of the event is networking and it brings together leaders from the private sector, academia and government from across the region and women at varying points in their career spectrum. The reception also provides a forum for women seeking cyber security careers to connect with the technical and business professionals who are shaping the future of our industry. It's not a marketing event, it's just about creating connections.

Dave Bittner: [00:11:19:10] This year we're pleased to be partnering with the great people over at the Cybersecurity Association of Maryland, CAMI. We're grateful to our sponsors too, Booz Allen Hamilton, Saul Ewing LLP, ClearedJobs.net and CyberSecJobs, Cyber Point International, Delta Risk, IBM and AI Tech. If your company is interested in supporting this important event we still have some great sponsorship opportunities available. We're also partnering with Maryland Art Place to have a special work of art created for the event that attendees can take home with them. As it's been in previous years, this is an invitation only event. We do it this way to ensure a mix of women with diverse backgrounds and at different career levels. If you're interested in getting an invitation to this year's event tell us a little bit about yourself and request one at our website, thecyberwire.com/wsc, that's thecyberwire.com/wcs. And we look forward to hearing from you.

Dave Bittner: [00:12:16:19] My guest today is Shelley Westman. After a few years as a lawyer she spent most of her career at IBM, where she's Vice President of Operations and Strategic Initiatives in IBM Security Business. She's a popular keynote speaker and a champion for attracting and retaining more women and minorities into cyber security. So, as you were coming up through IBM, were there any particular challenges that you faced by virtue of being a woman?

Shelley Westman: [00:12:41:24] Well, what's interesting is, for most of my career at IBM I gave no thought to the fact that I was a woman, I would say for 15 of the 17 years. I came in every day, of course I noticed that there was not as many women in a lot of the meetings, but I didn't belong to any women's group, I didn't pay any particular emphasis on it. I came in, did a good job and expected to be rewarded and was rewarded. It wasn't until I got into IBM Security and started hearing about the dismal numbers overall in the industry, where there's only 10% of women in the security space that I really figured as a female leader, I need to step up and start being a vocal advocate to improve these numbers.

Dave Bittner: [00:13:27:11] So let's talk about those numbers. Why do you think we do so poorly in cyber security when it comes to hiring women?

Shelley Westman: [00:13:34:22] Well, first of all, there's not as many women available to hire, that's really the heart of the problem, women are not choosing overall stem careers, number one, in cyber security, number two, and that's for a variety of reasons. A lot of them don't know about it, so the ones that I'm speaking with that have gotten into the field have gotten into it almost by accident, where they saw something or they participated in a hacking contest and really fell in love with it. We're not doing a good job of educating these young women that this is a viable career opportunity.

Dave Bittner: [00:14:10:07] You touched on the importance of having mentors and people supporting you along the way, did, did-- how important was mentorship to you as you made our way up through your career?

Shelley Westman: [00:14:20:00] Mentorship is very, very important as a sponsorship, and there's really a different set, I don't know that everyone understands. You know, in mentoring you can pick your own mentor, you can say, "Will you mentor me, will you help me?" A sponsor has to pick you, they have to be willing to put their career on the line and say, "I know Shelley, she's going to do a good job in this next role." And both mentors and sponsors are critically important. And, for me, interestingly enough, I've only had one female mentor in my whole career because I've always wanted to get that difference of thought. I know how I think being a woman, I want to make sure that, you know, I've got another point of view guiding me and saying, "Have you thought about it from this perspective?" So I've typically gravitated toward male mentors because they can give me that different point of view.

Dave Bittner: [00:15:10:21] What about for men who want to be more supportive of getting women into the field, but then also want to support women once they're in the field? What advice do you have for your men who want to contribute and try to equalize the situation more?

Shelley Westman: [00:15:25:24] You know, and that's a really important question, because we absolutely need men as allies. So if you think about it, the field of security has 90% men and 10% women, this is across the board, and we can't change that without men stepping up and saying, "I've got to be one that's going to help this situation." And I think it's hard for men to understand some of the unique problems that a woman might face in a very male dominated field until they start thinking about it on a personal level and start thinking about their wife or their daughter and what they want it to be like for future generations. And I think none of this is really done-- you know, nothing that happens is done with malicious intent, we just tend to gravitate towards people like us. So for a male to really stop and say, "How am I going to help change this? How am I going to get people that look different than me so I can get this diverse perspective," is really powerful. And the other thing I tell my teams is that, you know, we don't want diversity just because it's nice to have, we want diversity because it's been proven time and time again that diversity leads to better business results and that when you have people that think different from you you come up with different solutions and that is really important. If you surround yourself with people that think like you, only, you're all going to come up with the same answer and that's why it's important and that's what we've got to get men to realize, that this benefits all of us, if we do better we get better bonus, more money, more room for advancement for all of us. It's not just a nice to have, it's a business imperative.

Dave Bittner: [00:17:16:22] And, and just for career advice in general for the young women who may be heading into college or heading out of college and is considering a career in a technical field or cyber security, what would your advice be for her?

Shelley Westman: [00:17:29:03] So, my advice for anybody considering a career is find something that you love doing and I speak from practical experience because when I was practicing law I hated it and it was very sad, I thought that's what I wanted to do my entire life and I didn't feel the energy from it, it didn't make me happy. And so you have to go and find something you like doing and don't give up on that. If you try something and don't like it, find something else. You spend too much of your time at work to be doing a job you don't like. In terms of the stem careers and fields in cyber security, my advice is try it, you might like it, and, you know, I've heard from young women who I've gotten involved in some of these external clubs and they participated in a capture the flag contest and they're absolutely amazed at how much they enjoyed it. So until you try something you don't know whether or not you like it. So go for it, try it, give it a chance and if you don't like it find something else.

Dave Bittner: [00:18:33:05] IBM is teaming up with the International Consortium of Minority Cybersecurity Professionals, the ICMCP, for an event in October, what can you tell us about that?

Shelley Westman: [00:18:43:22] I'm so excited about this event, we're having this October 4th at 590 Madison Avenue, which is one of our IBM buildings, and we're having a town hall style event where we're focused on how do we get more women and underrepresented minorities into cybersecurity and we've brought together three panels consisting of some of the top leaders in business and security and academia to really talk about what they're doing, what works and doesn't work and share ideas.

Dave Bittner: [00:19:15:15] That's Shelley Westman from IBM. You can see a video of her keynote presentation at this year's Women in Cybersecurity Conference on our website, thecyberwire.com.

Dave Bittner: [00:19:28:22] And that's the CyberWire. For links to all of today's stories along with interviews, our glossary and more, visit thecyberwire.com. Thanks to all of our sponsors who make the CyberWire possible. The CyberWire podcast is produced by Pratt Street Media, our editor is John Petrik, our social media editor is Jennifer Eiben and our technical editor is Chris Russell. Our executive editor is Peter Kilpe. I'm Dave Bittner. Have a great weekend everybody.