Microsoft Cybersecurity Summit - Event Recap
The Cloud & Cyber Threats
iCorps Technologies assembled a panel of cybersecurity, compliance, and cloud computing experts to answer your most pressing questions at our live Microsoft Cybersecurity Summit. Watch the full event recap below.
[Chris Stephenson - iCorps Technologies] So two-factor authentication. How many people in the room know what two-factor authentication is? Ok, so pretty much a couple. How many have it implemented? Ok, interesting. So for those that haven't implemented it—can you—who wants to take the importance of two-factor authentication in any environment?
[Laura MacDonald - Microsoft] So RSA, we'll start with that, where it was like all the time, everybody, VPN, we wouldn't necessarily use it internally. Microsoft's got a different twist on it - which I really am passionate about - if you try to get the user to do multi-factor authentication for everything they're doing, they're going to get tired. They're going to go around you, it's just not going to work.
So there is a concept, which is called conditional access, which does a lot of analysis on the user, the device they're on, their location, etc. I could go on and on. If the user is okay, they're in the office, on a laptop they're always using, and their identity doesn't seem to be compromised then it's not required. If I am on my grandmother's computer in China, I'm absolutely doing MFA. The one difference would be privileged identities. Absolutely with privileged identities, you need to A: Reduce your administrators. And B: Make sure they're using multi-factor authentication.
[Question #1] Can you define privileged identities?
[Laura MacDonald - Microsoft] For the most part, it's administrators to different systems. Whether it be on-premise systems or you've got somebody that's administering Azure, AWS, Google Cloud, whatever. It's somebody that has the control to access your critical information or take down your critical infrastructure.
[Jeffery Lauria - iCorps Technologies] And actually, you know, one of the very bad practices I see a lot of the time for in-house IT is that the in-house IT person, their everyday user account is a privileged account. It's a lot easier for them to not have to maintain two accounts, so it's a privileged account.
So one of the things that we see is when we're called in—let's say there's a ransomware attack. We know that ransomware, generally, as a rule, is limited to whatever it can get its hands on. Well, if you're the administrator, unfortunately, it can get its hands on everything. So that is one of the things we see time and time again. People use privileged accounts when they just shouldn't. You know, I have two accounts in our organization. I seldom ever use my administrator account. Actually, I think our team shut it off. I seldom ever actually do that because, again, you know, there's no reason for me to actually do that because I write emails all day. This is what I do, why do I need a privileged account? So I think that is a really good tip for anyone here.
[Chris Stephenson - iCorps Technologies] The first question is, what are the top three threats to data security today? A fairly broad question, each you may have a different answer on that. So Alan, let me start with you please.
[Alan Toews - Sophos] The top three threats to data security—I think the number one threat is user behavior. I mean, the users are—that's the first line of attack in many attacks. If the user is not educated and is susceptible to just clicking on a link that just shows up in their inbox, then now you have to react to that threat that's just gotten into your network. I would start there. Users are the first line of defense, and the first point to show up in securing your network.
[Ben Darsigny - Mimecast] Yeah, certainly. Users, I think are a factor in almost any attack, at least the attacks that we see at Mimecast, obviously being email-related. They are the target. I think the most dangerous from our perspective are the ones that mix not just the traditional URL-based or attachment-based attacks, but the ones that are really based in social engineering. These days, you're getting a lot of attackers who are very knowledgeable, and really take their time to craft these attacks, and target them on an individual who, as we all know, is out there and available on the internet. Whether it's LinkedIn, Facebook, company website, etc. They make it very difficult to recognize when one of these attacks is happening, versus getting a normal email from somebody they trust. So the use of that to then get in, and maybe steal credentials and get into the broader network that way probably has the biggest impact among the attacks that we see today.
[Michael DePalma - Datto] Yeah, I think these two are spot on. User errors—kind of look at any statistic, and we can judge that most of these attacks are utilizing user error. This is social engineering, spear-phishing attacks. It's a lot different than the emails you used to get from your long-lost uncle asking for $5,000. That's not how these guys are getting through.
I also think though, one of the big threats is the folks that are behind this and the players that are behind this. Chris mentioned the teenage kid [hacking parents' Netflix]. There's still some of those out there, but this is really organized crime at this point. This is what organized crime is shifting to because there's so much money to be made and very little risk of getting caught, especially with the prevalence of Bitcoin and other cyber currency. So, you know, we're seeing foreign governments get into these, and even terrorist groups. This is why they're so sophisticated because everything is connected. You know, you hear the internet of things, and it's become kind of an annoying term at this point, but it's true. You can get in through just about anywhere, and their intentions are oftentimes much more devious than just trying to exploit a few thousand dollars from you. So to me, that's a pretty scary threat—not to scare you guys too much.
[Laura MacDonald - Microsoft] Alright, I'll take it in a slightly different direction. What we're talking about is stealing data. Too many organizations don't know what data they have, they don't know where it is, they don't know how to classify it. So once they get through the first layer of the user, if you don't have a data classification and data management program, you're really kind of setting yourself up for failure. GDPR, if anyone in the room is subject to that, brings it to a different level of it's not just about business data stolen, and what do I have to do, but any citizen in the UA—EU sorry—can reach out to you and say "you need to tell me what this is", and you need to do it quickly.
[Jeffery Lauria - iCorps Technologies] So what I'll say, you know, when we talk about three pieces, our users first and foremost, they are the first line. So we all agree upon users are the first line. The second part of that is shadow IT. You know, to your point, we don't know where the data is, we don't know where it sits. A user's not trying to be malicious, a user's trying to be productive. So in an organization, you may be using, for example, Microsoft 365 SharePoint but someone is using Box, and you don't know what data is sitting there. So controlling the data, and knowing where it is, is probably two. And then the third part is really having your team, your organization, adopt security. It is amazing today that I'll go in and I'll talk with business leaders, and they're not using multi-factor authentication. Multi-factor authentication is the single biggest thing that you can do in your organization to protect not only users but the data itself.
And so those are probably the three biggest threats and those threats by the way, are not people coming in, they're threats within your organization. So again, MFA, security controls and adoption, shadow IT, where your information is, and then training your end-users. That's very, very important.
[Chris Stephenson - iCorps Technologies] It's interesting that we went so quickly into the data and knowing where your data is, but it has hit the market very rapidly—the GDPR requirements—but even just in general. One of the things I've become aware of recently, is that 90% of the world's data that exists now, was created in the last three years. That's how rapidly we are generating content and data. And if we don't know where it is, we're creating it, where every day—it seems to me—we're creating a bigger challenge right?
So one of the challenges—how do we help—how do you approach your customer and help them with this issue, which is not—almost comes before the security itself, but the actual location of the data and what they have there. How do you educate your customers on that and how much do you talk about? I'd like to start with you Laura because Microsoft Office, email, there's so much there. What's the process that you go through to educate your customers or your partners on that?
[Laura MacDonald - Microsoft] So, DLP's been a term that's been out there for a very long time. Add our sales, the sales engineering manager for the DLP product line. And back then, I even had the thought "that's a last chance effort, it gets out, and now what do I do?" So what we're doing at Microsoft is building it right into the data itself. It's within the email. It's within the Office Docs. We just announced at our big conference last week, that Adobe has it baked in, to do the classification of the data itself so that it shouldn't get out. Only those with access can actually access it. Better yet, you can even go as far as revoking it.
Now when I say that I have customers that look at me and say "there's so much, I don't know where to begin," you've got to start with what is your—whatever classification you want to call it—highly confidential, confidential, intellectual property—pick your term for the stuff that are your crown jewels, and the stuff you think is critical. Start there, and kind of work your way back from there. And yeah, where is it to start with? I think there's standard capabilities to look for as well, and it's our end-users that know what these classifications are. It's not the security people, it's not the IT team, it's about putting it back in the hands of the end-users. Not saying that's easy, but you've got to start looking at that.
[Chris Stephenson - iCorps Technologies] The world is moving so quickly to the cloud, right? And I don't know what numbers or statistics you have on this Jeff, or on our customers versus the populace in general, but the cloud is becoming the place to do business. How is security impacted there? Things like ransomware, or if I'm thinking about going to the cloud, right? What security issues am I facing there? Let's say from a disaster recovery standpoint, or a data storage standpoint, or an email standpoint. If I begin to think about my architecture in the cloud, what am I putting myself at risk for, or what am I actually gaining strength on, or what kind of things are we thinking about in the cloud migration? Maybe start with you, Michael?
[Jeffery Lauria - iCorps Technologies] Well, that's a good one!
[Michael DePalma - Datto] Yeah, absolutely. So at this point, we at Datto, we've got our own private data centers, we've got nine around the world. We protect 450 petabytes of data. It's one of the largest private clouds in the world. So in terms of protecting our own cloud, we've got 256-bit military-grade encryption in transit and at rest. So if ransomware hits a device, goes in, and we back up that encrypted data, there's no risk of it getting up to our cloud. So that's, you know, personally what we do.
We are obviously seeing that shift to everyone moving to the cloud, and at this point, we are not backing up third-party clouds. But as an internal, you know, kind of strategy, of course, we're moving towards that. It's not something you can just jump right into, but that's something we've been looking towards because it's, you know, that's going to be the wave of the future. So for us to evolve, and we're talking about small businesses evolving, that's what Datto has to do as well. So we're going to be looking at how we can do that effectively, securely, allow folks to have access to their data, virtualize, and all of the rest.
[Ben Darsigny - Mimecast] Sure, yeah. So, being at Mimecast for a long time now, when I first started there one of our biggest hurdles was actually getting people comfortable with the cloud because we've been a cloud-based organization, cloud-based infrastructure since day one. And seven years ago, people were not okay with that in a lot of places, especially given the industry. Microsoft has made that conversation a lot easier because so many people have adopted Office 365, and it's not really a hurdle for us anymore.
But it does come with a new set of risk factors because you don't own the infrastructure anymore. There's a lot of great reasons to not have it anymore. It makes it a lot easier. It can be a lot more cost-effective. But you no longer can go to a data center or server room and get your hands on the issue if you are hit with ransomware, or if there is some sort of corruption or an outage or whatever it is. So that requires an added layer of oversight and something else that you can rely on in that situation, whether it's added security to make sure to the best of your ability you're not hit with ransomware, or a high availability solution if your mail infrastructure gets hit with ransomware. For instance, can you still send and receive mail so that your business doesn't stop completely? Or do you have a way to restore to a known "good point" so that you can get back to where you were before that happened? So, those kinds of added pieces that come along with not owning the infrastructure have to be taken into account and part of that risk mitigation profile that you're creating.
[Chris Stephenson - iCorps Technologies] Alan, just real quick on that. Can you pick up on that? And I want to start by saying, this is your opportunity to get me on the endpoint protection because a lot of people think of Sophos, they think of endpoint protection. This is your opportunity to talk about how you guys handle the cloud.
[Alan Toews - Sophos] Yeah, absolutely. So really what I was thinking about in this question was, as people are moving to the cloud, what we are seeing particularly is if you look at IS, for instance, a lot of companies are moving portions of their data center or their entire data center over time into IS. But they are not always thinking about the consistency of their security policies across their perimeter. They'll still have something on-premises, they'll have something in the cloud, but they may end up with disparate tools to manage both. They end up with inconsistent policies, and when they go to make a change they often forget about one or the other, usually the cloud. And so if you—what you want to do, whatever your strategy is, make sure you're looking at primary tools in the cloud, and on-premise as much as possible. This doesn't apply to SaaS in the same way. You want to make sure that you have something where you can manage all of those policies from a single point. Where you have visibility and consistency, and you don't have gaps, and missteps that are forgotten just from excessive complexity.
The whole point is to—the point of the cloud is to simplify your life, or one of the points is. Don't make it also complicate your infrastructure policy life in the process. So if that means setting up the same policy products in the cloud to manage those virtual networks as you have on-premise to manage your physical networks, then make sure that that's the step you're taking to do it.
[Chris Stephenson - iCorps Technologies] Great, and I see Laura fidgeting at the end, and I'm sure she'd like to mention OneDrive or how that is impacted in all of this. I mean, do you have something—your two cents to add in?
[Laura MacDonald - Microsoft] Anything, anything. Alright, yeah. So let's—so thank you for distinguishing SaaS versus IS, because IS absolutely there's still network controls that need to be in place. But when you talk about SaaS, you need to stop thinking network. It's gone. Sorry, you can't hug the firewall, you can't kiss your server. It turns it on its head with what is the one common denominator when I talk about any of this data being accessed - whether it be through OneDrive, Box, Office 365, I don't care. It's an identity. So I've got to start looking at how am I going to look at my security posture through the lens of an identity, and make my risk decisions from that standpoint. And I mentioned one way of doing that earlier was kind of through conditional access, and looking at what's going on with this user before I grant them access to whatever it is I'm granting them access.
[Chris Stephenson - iCorps Technologies] Great, ok.
[Question #1] So, with the recent Intel chip-set vulnerabilities with Spectre and Meltdown, you know, that kind of stuff goes to the core. It's not the user. It's not the data. It's baked into the hardware, and that's everybody's problem. So my question is, what do you think about the future of more open-hardware designs, and open security standards, and collaboration among vendors? Because if it's everybody's problem, what is the solution?
[Alan Toews - Sophos] Yeah, I mean, these are things that raise a lot of questions, and if you're looking at shared community environments, it's been pretty serious hacks to look at and look hard at how they're solved. And these have not been easy things to solve because they seem to have performance impacts on—or there's certainly been the risk of performance impacts—that have been closely evaluated. And I think—from the broad side of view if you look closely at everything that's come along and—but I think to the broader question you're asking, like many areas where there's a new avenue of attack that's kind of exposed, what this is really exposing in the industry is that a lot of the things that chip-makers have seen as ways to improve performance—and certainly that's what they are—they also allow side-channel attacks, and they respectively become a vulnerability when looked at under the right lens, and that's what these attackers are doing.
And I think this is just reading the next generation of chip design that will be a more mature process and will take this into account. Whether it's an open design as far as the blueprints...I don't think that's where it's going to go, but maybe. More likely it's just that this becomes a maturity process for the chip vendors to be building, and accounting for the needs, and finding new ways to optimize and improve performance, that don't use these techniques that cause problems.
[Jeffery Lauria - iCorps Technologies] Actually, I'll respond to that real quick. You know, there are always going to be vulnerabilities, there are always going to be flaws, and it's just the business, so to speak. Alright, so obviously patching systems when you can, but you know, all these vulnerabilities and flaws need an avenue on which to be executed. And as long as you're aware of that avenue, that needs to be executed, you can craft your defense around that. Alright, so it is very important. Security is not a set it and forget it. It is not an "I'm going to visit it on Friday at 2 o'clock at lunch," alright. It is a day in and day out job. So, if you're not aware of what's emerging—and this doesn't have to be complicated, right—this is a news feed, an RSS feed that shows up in your mailbox every single day, right. It is a look of what's happening outside of the United States. Look what's happening in Europe. Look what's happening in India. Specifically, in India to be honest with you. Look what's happening there, and then craft solutions around that.
So even though we are going to have vulnerabilities in hardware—your toaster is going to be able to, you know, see what's going on with your refrigerator, and we know that's going to happen. So how do we protect against it? So, vendors will get better. I don't think that open-source hardware is going to work, frankly, because at that point the secret sauce goes away. Right? At the end of the day. Then there's no difference between AMD and Intel right? They're all in the same field, they know what they're doing. So I think that's going to stay, but just understanding what the threats are.