During his recent trip to DC to talk about federal cybersecurity policy on Capitol Hill, Charles Henderson, global managing partner and head of the X-Force threat intelligence team at IBM, found the time to sit down and have a coffee (er, brew) with IT Brew.
Between anecdotes about adversary simulation exercises—one trick? Spamming a user with multi-factor authentication requests until they click yes—and how the threat environment has changed in his multi-decade career as a hacker, Henderson shared his thoughts on dwell time, the impact of President Biden’s year-old executive order on cybersecurity, and the software supply chain.
On getting the most return on investment out of security:
The truth of matter is, you can’t legislate your way into being secure. Security is culture, it’s a commitment, it’s an investment…when you have a compromise, people think of it as an event. It’s more like a series of events. The initial intrusion, that can be a vulnerability, a phishing attempt, whatever gives an attacker a foothold. We did the same thing in our adversary simulation engagements or renting, where we'll do something over several months where we'll simulate a real attack. That initial intrusion, that’s real quick. In fact, it’s so quick that most of our customers don’t want to pay for it anymore. They just say, let's assume you’re able to reach us, and let's move from there. It’s called an “assumed breach.” Then what I want you to do is move laterally through the environment, start getting a toehold, investigating like a real attacker would do. And we want to see if we see you. It’s all about detection.
Now, it’s not about hunting down all the vulnerabilities. An average enterprise-class company has [something] like a million and a half unpatched vulnerabilities. If I add a couple to that list, have I really made a difference? And the truth is, no. They can’t patch the ones I’ve got. I can help prioritize those vulnerabilities, and that’s really important. But really, what we need to work on is detection strategies.
How do we find people that are moving around? And not only that, the dwell time—that time from that initial intrusion and initial breach all the way to, like, operationalization, execution, achievement of goals—that’s what we call dwell time. As a defender, I want to lengthen that dwell time as long as possible, so that my mean time to detect improves my chances [of detecting]—before something horrible happens.
On the impact of President Biden’s executive order on cybersecurity:
I think the first huge accomplishment, and this is a big one, is that people have stopped seeing security as a destination but an ongoing commitment...The second part of that is that I think, while it’s a continuous process and destination, [the Biden administration] set some achievable goals that companies can focus on. And I think all too often, in compliance regimes, people focus on compliance, checking the box, rather than meeting the overall goals and intent…There was a huge problem with information sharing. And the reason is, if you get an organization of any size, and you start debating what information you’re going to share, how you’re going to share it, there’s protracted discussions...that inhibit the flow of that information. People have opinions. “We shouldn’t share this information because of our operational security. It makes us look bad.” You need to remove that stigma. But you also need to give the people in the room that are trying to share the information the ability to say, “We have to share the information and here’s why.” Give them the ability to win the discussion.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
On the implementation of zero-trust architecture under the EO:
What you’re trying to achieve, in large part with zero trust, is [to make breaching] a more difficult and lengthy process. So it’s absolutely integral to a successful detection strategy. That said, it’s not easy. If it were easy, it wouldn’t require a mandate to get it into effect across [the] industry. So a lot of organizations will have differing degrees of difficulty. One of the important aspects, though, [is that] as people engineer new systems, people handle transformations, they can make sure that zero-trust concepts are baked in from the start. And that’s really where we win.
Because of the evolution of business and speed, you start to see systems that are built from the ground up in a zero-trust concept. That said, a lot of these legacy systems are going to have real problems. Candidly, I think one of the issues that we have is that many of the most critical systems are likely to be the oldest and most legacy systems, because the owners of those systems don’t want to upgrade them. They don’t want to transition them because they are so critical to business that an outage would be business-threatening. You know, you can think of it as too critical to fail.
On the integrity of the software supply chain:
I think what we’re going to see is people worried about either malicious code or vulnerable code in their third-party software products. And I think we’ll see more of that. One of the keys, especially in nation-state activities but also in criminal activities, is there’s a one-to-many relationship.
If you can compromise software, if you can compromise the software supply chain and insert malicious code into, say, network management tools or something like that, and actually affect all the clients of a software distributor through that malicious code, your return on investment is much higher. It’s like a distribution model for you. And that software company is going to handle your distribution of your malware. It’s really attractive to attackers.—TM
Do you work in IT or have information about your IT department you want to share? Email tomm@morningbrew.com or DM @thetomzone on Twitter. Want to go encrypted? Ask Tom for his Signal.