2020 Q1 cybersecurity analyst call: "A sorting hat for cybersecurity."
That’s one effect the pandemic will have on the cybersecurity sector. This is the CyberWire Quarterly Analysts’ Call, Volume 1, Issue 1. This quarter's panel consists of Rick Howard (Chief Analyst, CSO, and Senior Fellow at the CyberWire), Dave Bittner (Host, Producer of the CyberWire podcasts), Joe Carrigan (Co-Host, Hacking Humans), and Ben Yelin (Co-Host, Caveat).
This quarterly analysts’ call took up the effects of the coronavirus pandemic on the cybersecurity sector, and of its implications for the practice of cybersecurity generally. Those effects are being felt in their influence on the scams and social engineering we see; in the need to work, wherever possible, under conditions of social distancing from home, which means working outside the company moat; in the general economic fallout measures taken to control the virus have imposed; and in the availability and productivity of talent in a sector where the supply of talented workers tends to fall short of the demand for them.
“I also wonder about the effects it's going to have on people’s productivity,” Bittner said. “I think we’re all experiencing a lot of anxiety, we’ve all got a lot of things on our mind, and I think it’s reasonable to expect that that will put us at less than a hundred percent of efficiency when it comes to getting our work done day-to-day.”
What companies will survive in the post-COVID-19 environment?
Early adopters of DevSecOps will have a decisive survival advantage, Howard argued. They will outcompete the laggards, and they’ll do so swiftly. The cybersecurity sector is about to undergo a winnowing, and the pandemic is going to sort the industry out.
“I’ve been saying for years that the companies that, you know, kind of put all their chips on the DevOps movement, or the DevSecOps movement, that those organizations that could get that done, they’re just going to outrun their competitors,” Howard said. “Those folks that have managed to put that infrastructure in place are well-better-positioned to survive this ninety-day – whatever it’s going to be for us – outage. Those that are still doing stuff manually – they’re going to be really struggling.”
What are the implications of epidemic control policies for privacy and security?
Yelin sees a strong constituency for mass surveillance, and for rock-solid, comprehensive testing. Even strong civil libertarians are more open to such emergency measures than one might have expected. Howard cautions that such measures may prove difficult to roll back once the emergency is over, and they may have enduring consequences unless careful thought is given to their implications for privacy and security.
Ransomware’s place in the threat landscape.
It’s no longer the case, as it was less than a year ago, where solid backups that enabled an enterprise to restore access to its data were sufficient to drive the risks of ransomware down to tolerable levels. Carrigan explains that the ransomware gangs now steal data, and there are many reasons organizations don’t want the data out. Regulatory and reputational risk are two of them, as are the economic penalties around loss of trade secrets and business relationships, and also, of course, there’s exposure to litigation by persons whose data you’ve lost. Thus ability to restore from backup is no longer enough: defense in depth is more important than ever. The first piece of advice Yelin would offer any organization hit by ransomware is to “lawyer up.” As far as paying ransom, in general you wouldn’t want to do that, but it’s an economic decision, as Carrigan notes.
“If you’re going to make a ransom decision – you know, should I pay the ransom or should I not? – basically, what I’m saying is, it should solely be based upon the cost of recovery versus the cost of paying the ransom, and whether or not you’re sure you can get that data back by paying the ransom,” Carrigan said.
What about data protection laws?
The California Consumer Privacy Act is the most consequential recent bit of legislation. Its enforcement remains a work in progress, but Yelin thinks it likely to impose a tort tax that will raise the cost of goods and services. Howard asks if more comprehensive law might be a good thing--perhaps a bill of rights for data? Yelin noted that a Federal law would be easier to comply with, but he isn’t optimistic that such a law will materialize any time soon.
“This is a problem that is Federal in nature, because our online interactions go across state lines,” Yelin said. “I think, in order to set one unified standard, to make compliance easier for these companies across the country and the world, the ideal would be to have a stringent Federal standard, but, you know, again, given what’s going on in the world, I don’t see that happening in the near future.”
What do you do while practicing social distancing or self-quarantine?
The panelists offer advice on how to spend your time. Their suggestions are too varied to cover comprehensively, but, in no particular order, they find themselves into Python, The Marvelous Mrs. Maisel, Zombies, Jean-Luc Picard, and Korean films. Talk (virtually) among yourselves.
Questions from the audience.
Audience questions are a vital part of our Analysts’ Call. Our thanks to all who participated.
Lots of COVID-19 FUD from vendors. What are you seeing, and what are your thoughts on selling amidst the crisis?
Answers from the panel.
Rick Howard: I'll take the first shot at this. My last job, I came from a vendor, so I have a little empathy for the sales teams out there. Typically, for big security vendors, and even medium and small ones, the sales motion is to get a security practitioner to agree to a meeting. And then the sales guys would show up and they would go through – they would give you the big run-around and convince you to buy something. That motion is gone for all the sales teams, right? So, because of the virus stuff, there's no meetings taking place anymore. So they are trying to find ways to sell stuff that are not going to be very nice to all of us. So, I feel for 'em. I'm not saying I justify it – I'm just saying I have a little empathy for them.
Dave Bittner: Hmm. Yeah, I mean, I can say from our point of view that, you know, part of our day-to-day is getting pitches from companies that want to share information or get their experts on our shows, and it's been all COVID-19 all the time. And some of them are very interesting and worthwhile and we schedule them to put on the show, and some of them just make you roll your eyes and you go, really? Like, that's how you're gonna connect to this? Really? In sort of distasteful ways.
So, my point is that I think it's a delicate line to walk. And I think you're seeing folks who have experience doing a good job of that. We're also seeing folks do a bad job with that. And that could accelerate some of the fallout from this.
How can organizations make things more expensive for the purveyors of ransomware?
Answers from the panel.
Joe Carrigan: Number one is security-in-depth. Right? And that's kind of just a practice that's always recommended. But make sure that you're doing good training on your people so that they can recognize these things when, you know, bad phishing emails when they come in. Because that is how most of these attacks begin – is with a phishing email that says, install this or click on this document. And it's a malicious document that installs the ransomware. So, take care of the people first.
The other thing is, I would say segment your network. A segmented network is a lot harder to move across laterally. In Baltimore, that network was not segmented and those actors just moved all the way across the network of the city with no issues.
Rick Howard: Can I jump in, Joe? Because I want to piggyback on what you said about segmenting the network. Right, and this is really zero-trust kinds of things, all right? It's a strategy that we all should be pursuing. And what I find out, when I talk to lots of different practitioners out there, is that they try to boil the ocean when it comes to zero trust, and you really don't have to get some basic protections in place. Most everybody these days has a firewall, and everybody – and all firewalls today are next-generation firewalls, which basically has the capability to prevent access based on user ID and applications. So you can make rules that say the marketing department can't go – or can only go to Facebook and nothing else. Right? You already have that tool in your organization. You should start using it right now, in logically segmenting the network so that really bad things can't happen to you in this terms of segmentation.
Dave Bittner: You guys think this is just one of those situations, that old joke about how, you know, if you and I are being chased by a bear, I don't have to outrun the bear – I just have to outrun you. That I don't – you know, my organization doesn't have to be perfectly protected. But if I'm better protected than the guy next door, chances are – since this is a numbers game for those ransomware folks – they're going to put their energy into somebody who hasn't taken all the steps I've taken.
Joe Carrigan: Yeah, yeah. Make it harder for them to penetrate you in the first place and start gathering the reconnaissance that they need to gather
Rick Howard: I feel like it's all that's true. But what that means is the organizations with less resources are the ones that are gonna get infected. And what the ransomware people have discovered this last year or two is that counties and cities are, you know, have less resources than everybody else. So, that's kind of why we're seeing that.
Ben, I mean, is it true that – I mean, when these counties and cities get hit, one of the pressure points for them is that they're obligated by law to provide certain services, right?
Ben Yelin: Absolutely. And not only are they obligated by law, but oftentimes they're reliant on revenue sources, which, if those dry up, as we saw in Baltimore City, that can kind of cascade the problems. But, yeah, I mean, they have legal obligations to meet, and so they're particularly vulnerable in that respect. And also, you know, just budget constraints are relatively severe, especially on municipalities that haven't done well in the past several years, where, you know, the tax base has dried up. So, it's both legal obligations and just a very high cost.
How different do you think the cybersecurity industry will look when we come out of this pandemic?
Answers from the panel.
Rick Howard: We started to talk about this early on in the panel. I do think that the startups – there's gonna be a lot less of them at the end of this. I think the big security vendors will ride it out and it'll be fine. But I'm not married to either of those propositions. Anybody want to disagree with me on that?
Dave Bittner: I mean, for me, I think there's just so many unknowns right now. It's hard to have a crystal ball when the normal rules don't apply on so many different levels in terms of, you know, politically and practically. I just really find it hard to have any real insight into where we're going, you know, day-to-day, week-to-week.
Ben Yelin: I mean, for me, I think there's just so many unknowns right now. It's hard to have a crystal ball when the normal rules don't apply on so many different levels in terms of, you know, politically and practically. I just really find it hard to have any real insight into where we're going, you know, day-to-day, week-to-week.
Are any of you reading any new books, binging any new shows, or learning some new skills during the stay-at-home-practices?
Answers from the panel.
Joe Carrigan: My wife and I are watching The Marvelous Mrs. Maisel on Amazon. So, if you have Amazon Prime, that's a great show. It's very funny. Not safe for kids, though, so keep that in mind. And it really is – my wife remarked the other day that she found it absolutely distracting from the current situation. So it's a good getaway. I am actually – as far as picking up new skills, I am getting better at Python and learning about Django, which is a web-based – a web framework based in Python. So I'm kind of picking up those skills with a little bit of free time that I have.
Dave Bittner: I'm going to nerd out on everybody and say I've been enjoying the Star Trek: Picard series. I'm about halfway through it. And if you're somebody who grew up like me and Next Generation was something you enjoyed in your younger days, this is a show that you're probably gonna like, and it's going to give you a lot of feels. So, it's been a welcome distraction for me. That's what I've been enjoying.
Ben Yelin: I have two small children at home, so my free time has gone way down......as opposed to up, which is – as it is for most people without kids. We just started Tiger King last night, which I know is the talk of social media these days. And we've also – when we finally get our kids to sleep at night, we've been bingeing Broad City. Also not safe for kids, but a really, really funny show. And in terms of new skills, a while ago I started taking guitar lessons – not that much of a musical person – I've had a little bit more time now that to hone my craft, and I've gone from awful to pretty awful, so…
Rick Howard: Well, I have two recommendations, two books that are more professional for cybersecurity listeners. If you have not read The Fifth Domain by Richard Clarke and Robert Knake, you should get on that right away. And the other one is Sandworm by Andy Greenberg. I recommend those two books highly. Those are the ones I've been reading lately. And for entertainment, I'm a giant zombie fan. At the Howard House, we all are. If you have not seen the Korean film "Train to Busan," you are missing out, because that is an awesome zombie movie. In my top three.