Kirstin Burke:
Well, thank you for joining us. We are going to hop onto a topic that I know a lot of people are talking about right now, which is the MGM breach or attack that happened last week and that I think they’re still trying to shake out. We’re going to take a look at it from a different angle as our organization processed what was going on as I think a lot of others were. I think you can look at what happened to MGM in a couple of ways. I mean, first of all, I think it’s a wake-up call to all of us that when you take a look at an organization like that, casinos, hotels, lots of money going in and out of that organization, you know that they have invested heavily in physical security and cybersecurity and securing their data. And so when you look at that, you feel like, “Wow, if that can happen to them, it can happen to anyone.” Perspective one.
Perspective two, I think people can look at it and go, “Of course, it’s the MGM” or the week after it’s Clorox. So of course people are going after the big guys. Of course, cyber adversaries are going after the big fish. And I think we want to talk about that too, to say, “Yes and no.” So two separate topics, but at the end of the day, we really want to wind up and talk to everyone about, everybody needs to be secure and we’re really operating in this world where attacks, ransoms, it can happen to anybody. And if we’re operating in that world, how do you prepare for the inevitable? So I think those are the three areas that really is been talked about the MGM. We were like, “Let’s look at this from a few perspectives.”
Shahin Pirooz:
Whenever we look at scenarios like this, when we’re looking at threats in the world and things that are happening in the ecosystem, when we see news reports, articles or advisories that are coming out from the FBI that say, “Here’s the threat actors, here’s what they’re doing, here’s their indications of compromise,” number one, we’re taking that data and we’re making sure that we feed it into our own threat feeds so that we’re looking for those indications of compromise. So if they happen to one of our customers, we’re helping them protect themselves. But really the lens that I try to look at the world at when I see these types of articles, of course the sales side of our business is like we need to go help them. But the security lens that I always put energy into is if this was me and I was in that CISO’s shoes, where did I skip something?
What gap did I have that allowed this to come in? Was there something I could have done better? And no, I’m not trying to here point fingers at any failures or anything like that. You could do everything just right and somebody can still get in. We’ve had scenarios where they have the best layers of protections, whether they were with us or on their own and still the bad actor got in and MGMs, it is hard to assess MGMs security footprint from the outside in. But this particular attack was a vishing attack where they basically use social engineering to get the credentials of an admin. And it’s really difficult in a security role to identify an admin that is doing something wrong and is it wrong or are they just doing their job? So when somebody has an admin credential that they didn’t crack or do elevation of privilege for, then it’s very difficult to identify that attack.
There’s the other security folks on the other side of this camera right now are saying, “That’s BS. You should have seen the password change. You should have seen the guy doing lateral movement.” And all of those things are true, but they rely on multiple layers of security and we should have also seen segmentation that would’ve prevented the lateral movement. So there’s a lot of things I would say from the outside in, it’s really easy to say, “Here’s where they failed, here’s what they could have done”, but let’s not spend our cycles there. So let’s put our energy into the two perspectives.
Number one, they are MGM. If I was a bad actor, I’d be targeting somebody like an MGM because the ransom’s going to be $3 million, $10,000,000, $3 billion versus “I’m going to go target a small company that I’m going to get maybe a million dollars out of.” That could be an accurate perspective for somebody to take, but the reality is it takes a lot more work to compromise an MGM than it does to compromise an average company. And if I’m sitting in a bad actor’s shoes who is running a ransomware ring or ransomware as a service model, I’m going to try to do a splatter across the entire ecosystem at whatever stick sticks, and I will take 30 million ransoms over one $30 million ransom all day long because the work, the effort, is much simpler on those 30 million ransoms than it is in the one $30 million.
So the thing that I would say to the perspective that says, “I’m small, they’re not worried about me, they’re worried about the big guys”, the metrics in the industry, the percentages, the attack ratios, all that don’t talk to that. We’ve said repeatedly a couple of these metrics, one out of every two companies is getting attacked.
Kirstin Burke:
Large or small.
Shahin Pirooz:
One out of two.
Kirstin Burke:
Across the board.
Shahin Pirooz:
Period. So you look left and right, the person to one side is getting attacked today or you. It’s one out of two is a hard number to argue. 50% of the companies are being attacked. Out of those 50% that are being attacked, 75% of those, three out of four of them are getting encrypted. That’s huge.
Kirstin Burke:
Not good numbers.
Shahin Pirooz:
Those are huge odds. And then somebody who’s been encrypted is going to get hit again. Eight out of 10 of those people who have been encrypted are going to get hit again. So if you take those metrics and distill them down to what they actually mean, you’re in a room with 15 people, three people have been attacked, encrypted and hit a second time, and five of them have been encrypted and seven and a half of them or eight have been attacked. So those odds are really, you got to just sit there for a second and say, “Oh my god, I’m in meetings or lunches or dinners or whatever with my peers. I’m sitting in rooms with 15 minutes and that many people have been attacked, but they’re not saying anything.” Nobody wants to say I’m being attacked. So let’s back up for a second and talk about what that means.
If you have the perspective that I’m not big enough for these guys to target, you need to shift that perspective immediately. They don’t care what size you are. If they get a hundred thousand out of you, they’ll be happy. They’re just making money and it doesn’t cost them much to generate an attack on a small company. They’ll take small companies all day long and almost everybody has cyber insurance today. So they’re betting on the fact that cyber insurance is going to pay out and you don’t have good security tools if you’re smaller. So it’s a lot easier to compromise and you haven’t done all the things you need to train your people so your users are easier to take advantage of. So there’s a lot of factors there.
But I know that most of you came to this session seeing MGM and you want to peel back the attack a little second. So let’s spend a minute talking about the attack itself. What ended up happening for MGM was there was a bad actor who did their social research and social attacks have changed over the years. What used to be social engineering used to be dumpster diving.
Kirstin Burke:
Literally.
Shahin Pirooz:
Yeah. We would go behind buildings and go look for emails, letters, whatever, identify employees, look for employee lists that got thrown away, whatever the cases were. We try to find information, bank statements or HR documents that had social security numbers on them. That’s what social engineering was, was one aspect of it was the dumpster diving. The other aspect of it was dressing up like the UPS guy and walking into the building and asking questions. The other aspect was being the electrical contractor coming in to check the AC and walking through the building and plugging in a bad device, a rogue device.
Kirstin Burke:
A lot of time. That would take a lot of time to execute all that.
Shahin Pirooz:
And it was those in that world, you typically didn’t do that across hundreds of companies, you target it. And in this case, this was a targeted attack. The social engineering of today is go to social media. So they went to LinkedIn. They identified who worked there, who was in a title that would probably have domain admin credentials. They did research on that individual on their social sites. They then called into the support desk and had the password changed and used a valid password changed by the IT team to go in and start to compromise and start moving laterally and start the encryptions. So while I said we could look at this in hindsight and say there’s a bunch of things that could have been done to slow it down, to prevent some of it, to reduce the attack surface, the source of this attack was a human that had made a mistake and fundamentally, that human that was the support person who changed the password by not having–and it’s not their fault, I’m not targeting this individual, by not having multiple layers of identification.
And I don’t mean two-factor authentication, I don’t mean that kind of stuff. If an IT admin is changing the password for another IT admin, there’s two-factor doesn’t matter in that scenario. The password’s new and they’re going to get in. Where really the implication is how do you identify somebody who is calling in and you can’t see their face, you don’t know who they are to validate that they’re indeed who they are. So there’s a layer of identity here that goes beyond the, “It’s me, I’ve got my device, I’ve got my pen, I’ve got my whatever.” That has to be able to be inspected with security questions that say, “Who is your grandmother’s pet?” Or whatever. Pick security questions that you love that the user puts in that validates that user is indeed who they are, especially for admins.
So I would say the door that got kicked open pretty easily, or I should say the handle that got turned really easily and walked in because the door wasn’t locked, was that support notion of, “We don’t have a way to identify that this user is who they say they are.” And I remember 20 years ago I had a customer of ours that called in and wanted their password changed and it was the CEO of the company and our team said, “I’m sorry, I can’t do that because you don’t have your ID, your pin.” And they went irate and they bubbled all the way up the chain. And I remember having to have a conversation with that individual and I said, “This was a inconvenient and uncomfortable situation for you to be in, but imagine if somebody else had called in pretending like they were you and was irate and yelled at our staff and we did it and they got into your computer, they got into your bank accounts and they shuffled everything to the caves. What would you be thinking of us then?”
I could see the moment when the light changed in this person’s eye and they said, “Oh my god, thank you so much.” That hasn’t changed. That was 20 years ago and we just dealt with the same situation for a very large company. So we can’t lose sight of the basics is the key I would say here. We have repeatedly on these Tech Talks talked about, it’s a layered defense. You really need to make sure that you’re protecting at the edge. So when things are coming in from the outside, so we always talk about our five layers are email, DNS, endpoint, network and then 24 by seven visibility. But if in this case this wasn’t email, it was through the support desk, but concepts the same. Having that layer of defense that is your people or your first layer of events, right after that is the tools that are monitoring password changes, impossible logins, things like that.
Those tools need to be there. But once you get past that, the next thing is DNS. This hacker could not have spread like crazy without connecting to a command and control. Their system, whatever tool they deployed, downloaded and connected to a command and control and brought down the other tools to spread through the network and encrypt. They also exfiltrated data. So that exfiltration of data had to use a tool to exfiltrate. So those are the DNS component comes in to say, “We know this is a known bad site. There’s been attacks that have come from here before. These are file extractors or movers that we should keep an eye out for.” So alarms should have gone off there.
The next layer is the endpoint. As soon as the endpoint starts seeing, even if it’s a domain admin who is moving from machine to machine to machine encrypting and exfiltrating data, the endpoint should jump in and say, “Enough’s enough, I’m going to stop this thing.” Or obviously, I’ll come back to the people side of it. And then lastly, the network should have segmentation and zero trust access so that it would be difficult to get in and access anything. Once you’re in, it’s difficult to get beyond the small segment of the systems instead of spreading to the whole ecosystem. And then finally the 24 by seven security staff that is looking for all those signals.
And so that’s really, I would say if we were to dissect this thing and say, “What could I do better,” it would be to make sure that those layers of defense were in place. But as individuals, this whole thing started with people. So security awareness is something that everybody thinks I’ve got that covered. And what that security awareness training has shifted to is phishing training, which teaches people how not to click on a bad email, but we forget social engineering, we forget the stuff that used to be table stakes 20 years ago. And our security awareness training needs to encompass and incorporate if somebody’s calling you and saying, or texting you and saying, “I’m the CEO”, or “I’m the IT admin, to see the board wants me to do X, I need it now, ship money here.” Those are all things that should trigger human responses to say, “Hold on a second, let me check this out.” We used to have a peer that used to say, “When in doubt, check it out.”
Kirstin Burke:
Yeah. Well, and I think it’s so hard, and this is exactly what adversaries play off of, is your human nature is, “I’m hearing something. Someone is either in peril, there’s something that needs to be done quickly, I need to help solve it.” That is your human nature, especially in business. If you are an admin, if you’re in IT support, that’s your job. And so it’s time doing mediation, time to fix, time to help. And so you are wired to help take care of that quickly-
Shahin Pirooz:
A hundred percent.
Kirstin Burke:
And that’s exactly what they play upon. And so whether you’re MGM or whether you’re Dick’s Hardware on Main Street, is hard to train someone to be discerning when they’re trying to do that. And you just wonder how do you train a help desk? Is it training or is it another layer of protection that we have to have? And how quickly is it that they’re going to find another place to breach through the humanness of what we are to try to get around the protections we put up?
Shahin Pirooz:
That’s a great question. We have a solution that we deploy for customers, our advanced phishing protection. And the immediate reaction I get when I talk to a prospect about our, we call it APP, our APP solution, is “We already do that.” I’m like, “Can you explain to me how you do that?” And they say, “We use KnowBe4” and 90% say that. There’s other solutions out there, but the 90% of them say we use KnowBe4. And I say, that’s great. KnowBe4 does do some phishing simulation, does it well. It also does do security awareness training and does that fairly well and it ties those together. But what they do in terms of the automatic and systematic, what I call inbox threat anomaly detection, is limited. They’re not actually doing crawling through the inboxes. They’re more relying on the end user to be your first level of defense.
So I always say, “Please don’t get rid of that, keep that.” And then they say, “No, I’m also using, pick a tool, for my email gateway solution, using Microsoft’s Exchange ATP Proofpoint, Mimecast”, you name it. And again, I say, “That’s great. That’s a gateway based solution and you should keep that.” What we do is we actually crawl through the inboxes and find threats that got past both of those things, the threats that are sitting in the inbox. Nothing changes in this context either.
When you look at what happened at MGM, should we have controls in place that say, “I need to validate that this is in fact Bob and Bob does have the authority to have his own password change.” And then a policy that says, “Admins can’t request their own password change. They have to have another admin approve it”, and then on top of that, have a mechanism that is taught teaching support. This is the policy, this is how we do it, and this is the controls in place. So you have to have the people side of it, especially for IT, and you have to have the controls in place and the policies in place that they can attach to, rather than making that poor person on the front line have to deal with an admin who’s pissed off because he can’t do his job.
Kirstin Burke:
So what I’m hearing you say is, and I guess it’s what we talk about all the time, that right now people are going to put into place, “Oh my gosh, okay, I got to go make sure my admins and my help desk is buttoned up more than they are just to make sure.” So now we’re all going to go out and we’re going to try to, I don’t want to say over correct, but try to get that up to speed and make sure that we’re good there. And while we’re doing that, they’re off finding somewhere else. But what you’re saying is wherever it is they come in, if it’s through the help desk getting a password change, if it’s through phishing, if it’s wherever, the priority is beneath that to have all of those layers so that however it is they get in, they’re going to find way to get in the door.
It’s going to be the door, the bedroom window, the garage, whatever. Someone will find a way to get in. So the point is, once they get in, what do you do? So what are your prevention and detection strategies? And then, God forbid, how are you going to respond and react if you’re breached? So having those fundamental layers in place, no matter what is really the priority.
Shahin Pirooz:
A hundred percent. My first tech company I worked at was a company called TestRack, and of course I had to go figure out what that name meant, which I read and read Wrinkle in Time, I did all my studies and I love the concept of a cube in the fourth dimension and always my perspective on how I solve problems is always looking at it from a cube perspective, which is you can come to the center of the cube from any one of the six sides. You can come in at any perspective and get into that core, so there’s multiple pathways into that core. And then you add the time dimension to that and now you’ve got another metric you got to think about. So that concept of TestRack, TestRack was a human resources company, so I have nothing to do with security, but it’s always stuck with me.
And that’s how I think of the world is we have to look at all the pathways into the target, into the gold mine, and not only from a path perspective, but from a time perspective. When in the cycle did they do this? They probably will come in from multiple paths, and this is no different. You have the human element, which is your frontline. You have the technology element, which is your technical controls, and then you have to have policies which are a blend of physical people and technology that tie it all together.
I laughed, this past week I was watching with my wife, the show, The Resident, and the hospital got compromised and they were asking, they started with something like $8 million and then they went to $1 billion and they kept going up because the hospital wasn’t paying. And the reason I laughed was some random person showed up and turned the tables on the hackers and basically exposed them by turning on the cameras on their computer systems and exposed them. So the FBI showed up and the ransom was done.
It’s not how it works in real life. It would be amazing if that’s how it works. I have not had one incident response that we’ve been able to flip the tables on the hackers. They’re smart, they’re like us. They’re not dumb people. They’re IT people who decided they’re going to go to the dark side. It’s like if you think take the Star Wars where there’s Jedi on one side, there’s the bad guys on the other, but they’re all using the force. So the fact is we need to think about we are fighting against ourselves and if we were on the other side of that offensive, what would we be doing and how do we defend against ourselves and not thinking these guys are smarter than us, or these guys are dumber than us. It’s, they’re other technology people is the reality.
Kirstin Burke:
So we started out saying, okay, if MGM can be breached, if MGM can have this issue given the resources, given the experts, anybody can. True?
Shahin Pirooz:
True.
Kirstin Burke:
The other one we talked about was, “Well, thank goodness it’s MGM and it was Clorox and it’s all these people, they’re focused here it’s not going to be me.”
Shahin Pirooz:
That’s not my statement.
Kirstin Burke:
False.
Shahin Pirooz:
Yeah.
Kirstin Burke:
Okay. So you’ve gone through all of these layers and protections. We always try to wrap this up with, it’s complicated and I think our adversary takes advantage of the complexities, takes advantage of the fact that we’re probably always going to be trailing behind them, whether it’s from technology efficacy, whether it’s our skill sets, whatever, we’re going to be trailing them. How can an organization that is not in business to do security, how can you get close enough to hear that you can feel like your business is safe enough and not constantly vulnerable?
Shahin Pirooz:
I would say a couple of things. Number one is no matter how many times we talk about it isn’t about the tools, conversations with prospects always go to the tools. And the reality is that we in tech have grown to, “Tell me how the tool works, what it does, what the mechanics are. I want to make sure we’re picking the right tool.” What we really need to back up to is it really isn’t about the tool. There’s 4,000 security vendors out there and each of them has varying scales of good, bad, or ugly. The approach really should be to make sure that you have the layers of controls and there should be due diligence gone into selecting those tools. That doesn’t have to be you internally. If you have a partner that does that due diligence and is picking the right tools and they have a track record of showing they can do that well, have some faith in that partner and put trust in that partner, but inspect that the results are there. Inspect that when you’re getting your reports and your data that things are being blocked, that they’re identifying things.
Those are all the layers of things to think about as you’re thinking about a solution. The challenge to the complexity to what we just described is to, if you go and try to implement that five layers of security that I discussed, and there may be many more layers, but we just covered five and when I say there may be, there is. There’s so many other things we can do to better protect our environment depending on the type of business we’re in. But to implement those five could take a long time. With tool selection, evaluations, implementation. We’ve seen companies that are on a multi-year journey to achieve what I just described.
Kirstin Burke:
And they’re not the size of MGM.
Shahin Pirooz:
They’re not the size of MGM, and we’re not talking, we’ve seen customers in the 50 to a hundred seats that are struggling with picking the tools and making it cost-effective, mostly because the vendors don’t think about those guys. They think about MGM, so they don’t make it cost-effective for the smaller companies. They have minimums that make it hard to onboard the right tools. So you have to settle for tools that do support the small ecosystem.
On the flip side, we see companies that are a hundred to a thousand seats that are on this multi-year journey and they pick a tool and they start implementing it, and by the time they get to the next layer, that first tool is no longer effective and they have to now evaluate a new set of tools and they don’t work well together. Or the tool they pick for layer two conflicts with the tool for layer one. So there’s so many moving parts to making it happen that delays and prevents, and in the meantime, hackers sit inside networks for 200 days on average, figuring out where your crown jewels are.
I heard a report the other day that it’s now 300 days on average, not 200. So think about somebody sitting in your network for a year and looking at where your systems are, what they are, where your good data is. So it’s the complexities prevent us from keeping up with the hackers. So what can someone do? I mean, the simplest answer, and again, this is the bias of somebody who built this infrastructure, find somebody who did what we did.
We have a list for the five layers of security can be implemented in your environment with a 30-day onboarding guarantee. In 30 days you have those five layers of security and you’re now being protected against what’s in the market. We have customers who insurance has come back with two, 300 question questionnaires and they turn around and they’re like, “What do we do?” And we’re like, “Send us the questionnaire”, and it’s check, check, check, check, check, check all the way down. And we knock out 90% of those. And some of them are HR people process type stuff that we can’t touch, but the technology controls are all checked with very little effort.
Kirstin Burke:
So you accelerate your ability to be insurable, you accelerate your-
Shahin Pirooz:
To stay insurable.
Kirstin Burke:
To stay in insurable.
Shahin Pirooz:
Because the insurance companies are now saying, “If you don’t fill this out and if you don’t do this, we’re either going to increase your premiums by four or 500%, or we can’t insure you anymore”.
Kirstin Burke:
Right. Well, because they also are seeing 50% of their customers being breached now, and so it’s not for them, “Are we ever going to pay out?” It’s, “We know we’re going to pay out. How much?”
Shahin Pirooz:
How do we get better control?
Kirstin Burke:
Right. So yeah, absolutely. Time in that sense is of the essence. And the longer you wait to be mature, obviously the more at risk you are. Well, thank you. I hope this was valuable to folks who joined. And again, this was in no way an intent to either gauge, assess or critique MGM, but it was a use case for us to just dive in and say, “Wow, what does this mean and what can the average organization out there do?”
Shahin Pirooz:
Yeah, and everything I shared with you is information that’s publicly available for the MGM breach. So it’s I definitely wouldn’t want to be sitting in that position dealing with the recovery at MGM. It’s a difficult position for them and their team. So our hearts go out to them, and this is in no way, like you said-
Kirstin Burke:
We’re all on the same side here.
Shahin Pirooz:
Yes.
Kirstin Burke:
We all have the same adversary. But what we will offer, as you listen to what Shahin spoke about, and if you’re thinking about where your organization is or maybe where you know it’s not, we have two things that we would love to offer you that we offer frequently. One is a security health check. So if you’ve already made some investments, if you’re wondering, “Hey, are we red, yellow, green, healthy, not healthy,” we would love to help you do that. We have a complimentary health check. We can get through that in two weeks for you and really help you understand where you’re at risk and where you’re solid.
The other thing that we offer is an economic roadmap. Shahin talked about people that are on this multiphase journey as most people are. Everyone has spent something. Pretty much nobody out there is saying, “I don’t need to spend on security at all.” So we understand you’ve made investments, so how are those investments working for you and where is it that over time would make most sense for you to continue to invest? So both of these things are complimentary. Both of these things really as we say, we’re all on this journey together. We are the good guys and we’re trying to help everyone be as secure as possible. So please take us up on that offer if you’d like. And with that, we will say goodbye and we will see you in October.