In the wake of the SolarWinds fiasco, a new executive order mandates practices to prevent future attacks…
How well does it address the threats?
And what does it mean for you?
To answer these questions, I invited Scott Sarris, Executive Vice President of Digital Transformation and Cybersecurity Advisory Services at Aprio, onto the show. Together, we break down the new EO into its most important components.
In this episode, we discuss:
- Why the EO was necessary and what it means for cybersecurity
- The role SolarWinds plays in the wording
- The language acknowledging that Zero Trust is the most secure approach to cybersecurity
To hear this episode, and many more like it, you can subscribe to The Virtual CISO Podcast here.
If you don’t use Apple Podcasts, you can find all our episodes here.
This transcript was generated primarily by an automated voice recognition tool. Although the accuracy of the tool is 99% effective you may find some small discrepancies between the written content and the native audio file.
You’re listening to the Virtual CISO Podcast, a frank discussion providing the best information security advice, and insights for security, IT and business leaders. If you’re looking for no BS answers to your biggest security questions, or simply want to stay informed and proactive, welcome to the show.
John Verry (00:24):
Hey there. Welcome to another episode of the Virtual CISO Podcast. With you, as always, your host John Verry. With me again is Andrew VanSeveren.
Andrea VanSeveren (00:33):
John. Hey everyone. I like to start wine tasting in a French castle, that doesn’t sound awful.
John Verry (00:40):
I have never tasted one in a French castle. I have drank wine in a Italian castle, I will tell you that’s pretty damn wonderful as well.
Andrea VanSeveren (00:48):
Wow, very nice.
John Verry (00:51):
All kidding aside, though, if you go to Italy and you visit the wine country, many of the places that you are these old estates, many of them are actually castles. It’s actually not as crazy as it sounds because over there, there’s quite a few castles still around. What’d you think of my conversation with Scott, was a bit of a different one.
Andrea VanSeveren (01:10):
I thought it was really interesting. I mean, the Biden Administration’s recent Executive Order really, is making cyber security and national level priority. I mean, some of the requirements are pretty broad. It’s really important to understand what that means and how that’s going to impact folks.
John Verry (01:28):
I thought Scott did a good job and it was a fun conversation because I think a lot of it was conjecture. It was figuring out, what are both the potential near and longer term implications to the Executive Order. What does it say about where we’re going as a country? I think that idea that our national security is inexorably linked with the security of our economy and the companies that form it is the overarching missive, if you will. I think when you look at each of the individual components of the Executive Order, they speak to the likelihood of additional guidance being offered by the government. Perhaps a lot of that guidance will become less and less voluntary. Let’s leave it at that.
Andrea VanSeveren (02:15):
Right. Well, I mean to your point, I think, it’s important to the business to maintain and achieve security compliance, but also at a national security level. Right. Either way, I think, it’s really important, you want to tune into this podcast and learn more about the implications of this Executive Order and how it’s going to impact your organization including as you’re working to achieve CMMC compliance.
John Verry (02:38):
Agreed. With no further ado, let’s get to the show.
Andrea VanSeveren (02:41):
John Verry (02:43):
Scott, thank you for joining me today. How are you, sir?
Scott Sarris (02:46):
I’m doing well. Thank you. Thanks for having me.
John Verry (02:49):
Looking forward to this conversation. I always like to start very simple. Tell us a little bit about who you are and what is it that you do?
Scott Sarris (02:57):
I work for a CBA led advisory firm, by the name of Aprio, I’m an Executive Vice President in the Digital Technologies and Cybersecurity Space. I have about 30 years of experience in information security. I’ve been blessed to watch information security blossom into the enterprise that it is now, in our space. I got a Doctorate Degree in Information Systems and numerous certification from various organizations.
John Verry (03:30):
Cool. Thank you for that. Before we get down to business, we have a tradition here to ask a question, what’s your drink of choice?
Scott Sarris (03:38):
Red wine, preferably a nice Cabernet Sauvignon from California or maybe something from Aix-en-Provence, that would be a red as well typically for me.
John Verry (03:53):
The Provence that you’re referring to, is that French?
Scott Sarris (03:57):
Yeah, it’s in the Southern region of France. I was blessed to go down there a few years ago and do some wine tasting and the Chateauneuf-du-Pape region, Region of the New Pope, since there was a number of popes that lived in that region, they have no castle down there. It’s quite an interesting town if you ever have a chance.
John Verry (04:17):
Got you. If you go California, any particular region, are you a Napa guy, a Sonoma guy someplace different?
Scott Sarris (04:23):
I like it all. I’ve done wine tasting up and down the trail there in California, it’s a great time. But, no, there’s really nothing that I’ll point out that is my preferred favorite. But the Napas do tend to be in my glass more than anything else.
John Verry (04:41):
Well, it’s some awful good stuff there. I also enjoyed red wine and a Cab is my preference, although a good red blend or a good Zen, certainly, I’m not going to turn it down.
Scott Sarris (04:54):
I’ve been doing a few of the Argentinian Malbecs as well.
John Verry (04:57):
I’m not a Malbec guy, there’s a flavor that doesn’t quite, I mean, it’s not bad but I’d much prefer a Cab. All right. Let’s get down to business here. The Executive Order, I think, for anyone in our field was awful interesting. I think that there are definitely some implications to that would be fun to chat about today. I’m just going to start with an overarching question. What were your thoughts or impressions on reading the Executive Order?
Scott Sarris (05:29):
Well, when I read the Executive Order, of course, I started, like everybody else reading the policy section and I interpreted it not as coming from the President of the United States, but really as a director from the executive of a large organization setting, kind of, the overarching strategy and expectations of that executive to the constituents within his room, in this case, the federal government agencies. I believe it did a very good job establishing those expectations in that policy section to drive the speed of government to adopt information security policies and approaches that reflect a more aggressive posture in dealing with those security risks the government faces. I was actually a pretty happy to see it.
John Verry (06:27):
I was too. I’m a laissez-faire guy, I’m not a big believer in government mandating what we should do. But to me, when I read it, the one thing that came out of it to me was the recognition by our government that our national defense and the security of our government sector is directly proportional to the security of our private sector. That if we don’t work together and that might mean some mandates on their part, that we can’t be the US anymore, right. We can’t be viable, right. In order to sustain our sovereignty, if you will, we need to understand that we are at cyber warfare and that the government is saying, “We recognize this. And we are going to start to exert our influence on, not only our own cyber posture, but also the cyber posture of anyone that does business with the government.” Which largely involves the vast majority, I think, of our economy.
Scott Sarris (07:26):
I think it did a very good job linking the defense of our nation to the private organizations that operate. I found it interesting and like you, I’m not a big fan of government dictating everything. However, I found it interesting that the approach as you peddle through this document, is one of directing the federal government and the executive branch to contract and to engage with knowledgeable third parties to do things like collect information about cyber attacks and logs and other things versus dictating that they will provide it in any case. I didn’t find it very aggressive in its posture. I thought it cocaine kind of a moderate tone to their approach.
John Verry (08:20):
If you think about it, right, you could destabilize the government by destabilizing the significant private companies within that country. I think that’s kind of where they’re looking at here and saying, “Okay, we have to clean up our own house. We have to make sure that the folks that we’re working with clean up their house because we’re interdependent.” I think was kind of the message that I got. Do you immediately, when you read it, think of any near term implications for organizations or longer term implications, where did your brain go there?
Scott Sarris (08:55):
My brain went to, frankly, the piece in Section Two and Three regarding FedRAMP, the Federal Risk Program for the acceptance of services from the cloud environment. We’ve had NIST standards for many years, going all the way back to the old orange book days. It has slowly and progressively improved over many years. I think some of the directives in this piece around the speed of expected change and its impact to risk acceptance from the federal agencies for services that are rendered to them, really caught my eye because you typically don’t see those type of programs rapidly improve. Some of those directives around automation and the collection of federal information for purposes of approving their services and getting your authority to operate seems very tight to me. I’m wondering how quickly they can actually roll that out.
John Verry (10:05):
The message I left with was, “Get ready for some overt guidance from the federal government on your security posture. CMMC and FedRAMP are not our last shot across your bow. As always, it’s going to be a fun next few years as this evolves, I think.
Scott Sarris (10:24):
I think so.
John Verry (10:25):
Let’s do that. Let’s walk through the document a little bit and talk about some of the impressions that we both had, right. You already mentioned the policy, thoughts, one of the things that I picked up on the policy, I did mention that kind of concept of partnering and I thought there were two other things that caught my eye in the policy section. One was a brief mention of IPDRR that kind of, I think it was a nod to the NIST cybersecurity framework, that concept of identifying, detecting, protecting, responding and recovering. Then I also thought it was interesting that there was an explicit mention of it and OT as well. Thoughts?
Scott Sarris (11:03):
Well, I think, the structure of the recommendations or the directives in here did follow the identify, detect, respond type approach. I believe the fact that they are looking at information technologies with operational technology, is kind of the nod to the problems that we’ve seen in recent events right. Critical infrastructure, such as the pipeline attacks and a reduction of food supply and others, really kind of show us that the two are very much related, right? We don’t today run a pipeline or even produce meat products without the information security apparatus, that’s behind everything. In a lot of cases, it’s operational technologies, even if the operational kind of technologies can and do operate independently, it doesn’t mean that the information technology side doesn’t represent a significant rest of the operation side, simply due to the linkages and working between the systems communications between them.
John Verry (12:16):
We’d love to have been a fly on the wall because I do think you’re right. I think that, there’s a couple of places in here where recent events and including the colonial pipeline and the SolarWinds situation both seem to have been there, that there are elements of this Executive Order that are direct response to that.
Scott Sarris (12:34):
John Verry (12:36):
Got you. The section two was also interesting, removing barriers to sharing threat information. What are your thoughts? What are your key takeaways from this section of the document?
Scott Sarris (12:48):
I actually, my initial thought was, “Oh my goodness, did they know how much information they actually are trying to collect and sift through.” The aggregation of information via logging information at the base side, or even the top side, even information that’s collapsed and aggregated and reported upon is incredible. Generally speaking, I think it’s good. If you treat the federal government as if it’s a private entity and you want to see each agencies operating as if it’s an independent business, it does make sense, to understand and aggregate information, visibility across the organization as a whole. How it’s done is obviously not laid out here, clearly just a strategy for doing it. I’ll be interested to see what the actual plan of action would be, “No,” for this sort of thing. In general though, it’s a great idea.
John Verry (13:48):
Yeah. It’s funny, I didn’t think of your thought. I think that’s a fascinating thought because, even a small organization generates gigabytes of logs in short periods of time. If you’re talking about dealing with the federal government and then the cloud service providers that service the government and the other entities, you’re talking about an awful lot of data. I do think that the way you do it, it’s going to be interesting. Were you surprised because I was, that I didn’t see anything about the IECEx, if you look, we’ve got these IECEx for each of the critical infrastructure elements and I didn’t see them mentioned. I found that odd. Did you?
Scott Sarris (14:29):
Generally speaking, I think they can drive this the way they’re trying to drive it, which is through CISA NIST and federal contracting. I don’t know that they had to go into the IECEx as a mechanism for doing that. Most of those represent a prioritization and subset of NIST and other control frameworks already. I think they can be modified after, was kind of my thought. That was my reasoning for thinking didn’t direct directly address stones.
John Verry (15:04):
Got you. Another thing which was I’ve been amazed by is, the CISA, is the Cybersecurity and Infrastructure Security Agency. I never remember that. That’s why I wrote it in my notes here. I’m amazed how prominent a role that CISA has moved into in a very short period of time. I don’t remember them ever being all that critical. The other thing which I thought was really interesting is that so much of the responsibility for our cybersecurity program is now falling under CISA, which is under the Department of Homeland Security, which is awful interesting, isn’t it?
Scott Sarris (15:42):
Well. If you look critical Department of Homeland Security, that’s always been their responsibility to deal with critical infrastructure. But like you, I was surprised that a CISA was so prominently displayed here in many respects. I think this becomes their charter going forward and establishes a great deal of authority and responsibility to that agency above and beyond what we’ve seen with like CNSs and some of the others.
John Verry (16:10):
The other thing too, to that point, I actually went and looked at the CISO website and they specifically say, “Our partners in this mission span the public and private sectors.” Which I thought was interesting that my initial thought was, “Hey, the government’s recognition of the private public partnership necessary to remain a sovereign viable country.” Then, the idea that it is all is now falling under CISA which falls under the Department of Homeland Security. It’s an interesting stack, if you will. The other thing, I don’t know if you noticed that in the language here they mentioned in here, who else is involved in this section? It was like, the NSA was an interesting group of companies. I’m not seeing it now, but in my notes, I wrote down, it was the Secretary of Defense, NSA, OMB, and GSA, right.
Scott Sarris (17:04):
I found that interesting as well at the alphabet [inaudible 00:17:08] of agencies that are expected to support and integrate to this new policy. Well, it’s now under CISA, that would be Department of Homeland security. I guess we shouldn’t be surprised that the Secretary of Defense and others are involved. The NSA and director of national intelligence and others. That was a little surprising, but given DHS is kind of, responsible for a great deal of this. Shouldn’t be surprising, I guess, that they brought all the agencies.
John Verry (17:42):
Really interesting. The next section of the document was on, something you already brought up, which I was glad you did, because, I thought this was really interesting, was modernizing federal government cybersecurity. One of the key elements there was FedRAMP, which you talked about a little, you might want to jump into a little bit more now. There was also some other really interesting elements. I thought this was the more interesting sections. What were your thoughts on their thoughts in Section Three here?
Scott Sarris (18:09):
Well, Section Three really started, in my opinion, with the Zero Trust counsel. I believe that this represents an acknowledgement that traditional perimeter based security has been dead for a while. Probably accelerated a little bit with the whole COVID thing, right? The perimeter defense model, which is [inaudible 00:18:32] a big tall wall around my organization with firewalls and then layer security to the inside of the organization. Until, we finally get to the more trusted into your resources of the organization, kind of, started to fall apart many years ago. The deep parameterization process accelerated as we saw AWS and later Azure. More of the organization’s resources outside of that boundary, further accelerated with this whole COVID thing, right? Not only were the resources used for executive to gain access to outside of the perimeter of the corporation.
Scott Sarris (19:10):
Now the users are all outside of the perimeter of the corporation. You can only protect those things that are behind that barrier of Zero Trust and driving that as a strategy makes great sense, because, that kind of zoned model approach has essentially been illustrated to be quite a weakness. Driving to the protection of the endpoint, later on, they talk about end point detection software. They called them out other key concepts, such as, through a trust to gain access to resources. Just because I’m on the inside of an organization, doesn’t mean I should be trusted to gain access to a particular resource. Many of those concepts are kind of laid out in here. I was actually surprised at the depth that they went into, some of the technology expectations that seemed a little bit of a push from a policy perspective. Maybe that’s an acknowledgement that they needed to give a little more guidance and direction to the federal government agencies to get off the dime and move forward into some of these areas.
John Verry (20:14):
I agree, Scott, I was a little bit surprised by the explicit nature of some of the guidance, which, we knew they were talking about… They mentioned cloud adoption, which we knew we were moving towards any way. Right. Which was one of the drivers behind FedRAMP. But, the explicit mention of multifactor authentication and encryption at rest and encryption in transit, I thought it was interesting. I did like the fact that there was some emphasis on cloud governance. I think that’s something which is lacking. I mean, we’ve all moved to the cloud, but I don’t think we’re doing a good job of governing it. I thought the Zero Trust was really fascinating because what we’ve seen from NSA, what we’ve seen from DHS, what we’ve seen from NIST and what we’ve seen from even private sector companies like Microsoft.
John Verry (20:57):
I thought the Zero Trust is interesting. I had a John Kindervag on the podcast who is widely credited as being the person who invented Zero Trust. As you might imagine, that was an interesting conversation because I mean, it’s been 10 years in the making since, he came up with this idea and to see it suddenly gets so much attention in such a short bit of time was really interesting.
Scott Sarris (21:17):
John Verry (21:18):
Did you notice they used the term, unclassified data at one point. I wondered if that was a nod to CUI and CMMC and 800171, or was that just a chance use of that phrase?
Scott Sarris (21:31):
Well, I think it was a nod to that whole, see, concept in 171 and so on. You also see some of the terms they tried to build in as much of the NIST matured as possible throughout this, as far as guided use of acronyms and songs. I read it the same way.
John Verry (21:51):
Then, the one thing, you already mentioned this, but I thought it was a really good observation on your part is, I thought the whole section about improving FedRAMP, the automation, documentation, creating web-based versions of things and things of that nature was a very good endorsement of FedRAMP because, I’ve heard whispers that there was some people that were not behind the program, I know that was created by some entity and the question was whether they were going to continue to fund it, but it looked like what they basically said is, “Yes, FedRAMP is here to stay and we’re going to make better.”
Scott Sarris (22:25):
I saw that as kind of a double-down on FedRAMP, clearly establishing what the risks are using any service should be the goal of that federal agency. FedRAMP gave them really good lens to, what are the risks of adoption for a particular service, you can criticize FedRAMP in many different way. You have multiple approaches to federal authorization. One is, kind of the JAB approach, the Joint Authorization Board or where systems that have incredibly broad applicability across the federal government, Microsoft and so on go through an authorization process, it’s different from the typical agency ATO, Authority To Operate process, but in any case, both of those processes drive an incredible investment and documentation for the organization. I think it’s a difficult bar for many organizations to get to, and I believe that maybe a nod to some of those complaints or some of those concerns expressed that they may be keeping really good technology companies or software or services out of the mix simply by making them more difficult to obtain. In many respects, I see this as simplify, right? Get me better, interfaces into and ability to edit, simplify the documentation process and Authority To Operate process for some of these companies. I think that’d be a welcome thing for FedRAMP, I think has been incredibly useful and you was great tool, but anything we can do to improve that would be welcome.
John Verry (24:04):
If we can make the bar a little bit lower to get over, and not in terms of the security posture, but like you said, “The paperwork and the efficiency of the process, it would be fantastic.” Right. ‘Cause it’s a half million dollar investment for most firms, right. If we could bring that cost down a little bit, I think we’d have more of a liquid marketplace, if you will. The other thing, did you notice the V that’s up on the screen here, I thought it was very interesting as well is, allowing those frameworks to be used as subsistent for a relevant portion of the authorization process. Do you think they were speaking to the concept of the CMMC reciprocity that we’ve heard, talk or are you even ISO 27001 reciprocity or a similar?
Scott Sarris (24:47):
We spent a lot of time in our business cross-referencing frameworks to do assessment activity in major organizations, something as simple as a suck two versus ISO versus NIST and so on. I would like to see some level of reciprocity for these standards that they’re pushing forward that, they’ll accept evidence of an assessment in one area, good for the other. The other thing I thought here, actually was right above that. That was sectioning for digitizing and streamlining documentations for online accessibility and pre-populated forms. One of the concepts you threw out there a little earlier was that the level of governance that we see in the cloud environment, particularly around provisioning and initial configuration setup and so on, tends not to mirror what we did in the more physical environments of the data center, the gold images and everything else. I would love to see a link between the two where we can use tools that do cloud scaping and other services and drive that documentation directly into these forms as pre-populated fields, so we could accept that we’re configured correctly. We’re patched for it.
John Verry (26:02):
If you think about that logically, right. For any of the organizations that are doing kind of infrastructure as code, that same process that pushes that infrastructure’s code could push that configuration validation and, or configurations into some type of a tool, which would certainly simplify the process.
Scott Sarris (26:23):
You would hope so. We’ve seen much maturation over a number of years now as to escaping my AWS environment to meet a particular standard be it HIPAA, be it tough, whatever it is. We’d love to see some movement there going forward. Except that the tools output some of the assessment activity that’s done manually today.
John Verry (26:48):
Got you. Should we just refer to section four as the SolarWinds section?
Scott Sarris (26:55):
SolarWinds is an important concept, right, that is protecting the integrity of the software, is everything we’re doing now in cloud and software defined. You better have good control over the repository and integrity of the software that you use, then downstream in the cloud, SolarWinds is kind of that nod to this concept. Or this concept is, I think, directly driven back to your point, to the SolarWinds attack and making sure that that software as part of our supply chain is adequately protected.
John Verry (27:27):
The other thing that was interesting to me is they covered, I think, a ton of ground in the section with regards to this, right? They talked about the SDLC, they talked about automated tools to maintain trusted source code, supply chains. One of my favorite things is the idea of a software bill of materials. They kind of blended a lot of stuff there, didn’t they?
Scott Sarris (27:49):
They did. I kind of found the software bill of materials to be interesting.
John Verry (27:55):
Scott Sarris (27:55):
Probably the least interesting. But for me, it was very interesting because we’ve said for many years now, if you don’t know what you have, you can’t protect it. Understanding what assets the organization has is critical to understanding and protecting those assets. The software bill of materials I thought was fantastic.
John Verry (28:15):
The other thing too, is that they talked a lot about the SDLC and they didn’t give very specific guidance. I think they said at one point that NIST is going to come out with something. I wonder if we’re going to see stuff that’s more aligned with let’s say, the OWASP Software Assurance Maturity Model, whether or not we’re going to see something which is lined with BCM or something of that nature. Did you get a sense of what direction you thought they were going?
Scott Sarris (28:38):
Not from this document. Like you, I would love to see a more expansive treatment from NIST or one of the others on this area. Particularly, kind of the overlay to the DevOps model. As kind of the model of many organizations are adopting, how do we integrate security functions into the DevOps model to emulator or replicate kind of the whole concept of where we had segregated functions performed within the organization. Now, it’s all kind of, into the cloud ops kind of, organization and that is what the company calls it. How do we get the level of governance there that we can be comfortable with, that assures us that the right things are done at each stage of the development and integration to a platform. That we would have been comfortable with 10 or 15 years ago. I think it is going to require a level of reporting and process management that probably would have been not necessary when it was all segregated into different groups. Right?
Scott Sarris (29:45):
Now, DevOps, a simple example, before development would go into the networkings and I need to open a firewall. I need to open this port. I need to go from this place to this place. A separate group would perform that activity, right. Infrastructure to software. It says, “Well, they can just pretty well do that without any oversight for directions, documentation, governance, and so on. How do we get a level of governance and that we’re comfortable with that sufficient oversight is provided for some of these changes when the DevOps cycle is performed by a single team.
John Verry (30:20):
The section that I have up there, the employment automated tools, I thought that was really interesting. To me, I could see a lot of tool vendors licking their lips when they see this. The implications to it are interesting because I can see both positive and negative implications to open source efforts. Right. The code control explicitly has some value proposition, but then code which is open and leveraged by tens of thousands of organizations and is vetted by a broader cross section has value. It’ll be interesting to see what the implications are. Not only to the tool vendors, someone like a black duck software as an example, but also the open source movement.
Scott Sarris (31:09):
In many respects, the open source movement is good for our industry because you have so many people developing and driving that application software. In any case, how do you then drive to I now trust this application software. If we look at parallel instances of this, for example, some of the software used for encryption and so on, where it has to meet federal standards, if its 140-2 and so on, becomes problematic, getting it certified and getting it to be trusted and so on, going forward. Under six, I think this parallel problems we’ve seen just in a microcosm of that open source space.
John Verry (31:52):
I’ll probably scrap the name here, right. It was heartbleed, right. That was the open SSL. Right. We had open SSL, which has been around forever. I mean, probably one of the most widely leveraged and most quote-unquote trusted, of the open source efforts. We ended up with a major risk in involved in that. It does get interesting. It’s going to interesting to see where it all goes there. We talked about the S bomb, which I thought was fantastic. The other thing, which was interesting, did you notice the IOT component, which I thought was interesting in source code section, kind of felt out of place to me, but the idea that the NIST shall publish guidelines, recommending minimum standards for vendors testing of their software could include identifying recommended types of manual automated testing. Then, right after that, a specific to IOT devices and a consumer labeling program with increasingly comprehensive levels of testing we do a lot of IOT device testing. That one really come out here.
John Verry (32:50):
Yeah, “It should catch your eye right.” Coming up with a government standard that can be applied to the consumer marketplace for the purposes of validating what level of security is appropriate for that? That devices is an interesting concept. And the fact that it’s going through kind of the FTC enforcement approach, I thought was also interesting, right. More consumer trust approach as an enforcement tools.
Scott Sarris (33:21):
Did they explicitly mentioned the FTC?
John Verry (33:23):
I believe they talked about the FG. Wow. That’s really fascinating if they did, because I’m looking at this and I’m thinking to myself. You’ve got ENISA, which is fantastic. The European National Information Standards Association. Right. And this has put out some good guidance in 82:22 and 82:59. Then you’ve got someone like the IOXT Alliance, that’s trying to push up a testable standard there. OWASP has a grade standard, the IOXT internet security verification standard. Could it be really that I found this section fascinating and I think it’s deserved and necessary. I mean, because I mean, when you look at the MRINetwork. Right. Somebody deploys tens of thousands of cheap video cameras, surveillance cameras that are not properly protected. Somebody harnesses that for what was the first terabit was a gigabit of terabit, they now serve as attacks.
Scott Sarris (34:23):
In Section T, 270 days from the data to order, safety of commerce, acting through the director of news and coordination with the chair of the Federal Trade Commission. Now, that is the kind of the enforcement concept. It’ll be interesting as we go forward to see what form that takes and how well Zuckerberg kinda of great electronic organizations and IOT kind of concept, adopt. Promote that but I see that as a good thing, specifically, since we’ve seen so many of the default password router and camera and other things. Now, the other side of that says, that will have a positive impact, hopefully on some privacy issues. We see there as well, the protection of information that in those consumer systems and that are never collected things like video and so.
John Verry (35:15):
I wonder what they consider consumer product, right? A lot of the testing that we’ve done is for what I would refer to as commercial products, think about digital lighting management solutions for large scale office buildings, smart thermostats for deployment in hotel chains and things of that nature. I wonder if that would fall under the concept of consumer labeling. What makes something consumer?
Scott Sarris (35:39):
That’s a good question. I mean, that goes to intent of the product ongoing to guess. But we have so many products that started in consumer space, have been adopted by a corporation, someone who was ed router and that has been used in large scale deployments, some of the Cisco product when they bought various companies. I guess, we’ll have to see, I didn’t see a really good definition of consumer labeling.
John Verry (36:07):
Me either. At least, I don’t know if you had the same thing, I felt we worked our way up the mountain in sections one through four, and then I kind of felt the end of the document kind of was… Okay, we got a couple other things. It was like more house housekeeping. I don’t know if you felt the same way. What’d you think of this cyber safety review board section?
Scott Sarris (36:31):
If I take a step back and look at, for example, NTSB is responsible as a separate agency investigate failures in our transportation system that occur whether it be airline or trainer or automobiles, I think it can have some value to have a board of experts oversee the accident or wreck, in this case, maybe is that, these attacks successful attacks in particular resulting in quite a lot of damage. I think having some independence in determining what was the true cause and making sure that it’s adequately documented and distributed for use so that others can avoid these type of taxes, a good thing. Now, if it takes a year to write the report and disseminate the information, by then technology is, will be passed, it’s fine, but we can only hope for the best here. I think you can have values.
John Verry (37:34):
Jealous, because I didn’t think of it being the NTSB. When I think of it that way, I think that’s awesome. I think your analogy was perfect, but I agree with you, those reports take a long time after playing crashes. Hopefully, they’ll be able to get through a cyber. Unfortunately we don’t have black boxes.
Scott Sarris (37:54):
Oh, if I look at the black box more than the log data from the airplane based on section. We should have-
John Verry (38:06):
Unfortunately the signal to noise ratio might not be where we want it to be.
Scott Sarris (38:08):
John Verry (38:11):
All right. Section Five was a pretty simple section. Let’s talk about Section Six, right. Section Six was a standardizing the federal government’s playbook for responding to cybersecurity vulnerabilities and incidents. What were your thoughts there?
Scott Sarris (38:24):
Well, there’s already a very good set of known standards for incident response. I think the categorization process under NIST is pretty good. I think where we really lack, and frankly, in this space is the human resources. The humans tend to be the weaker link in incident response. Rather than save that we have to have a better playbook, I really think we need better players on the field, running the playbook versus trying to rewrite the entire process. Now, disseminating that information and ensuring that all agencies can benefit from it, creating a clearing house for that, that others become aware of the situation more quickly and can respond or detect appropriately, I think is a good thing.
John Verry (39:25):
I saw this as being connected with the previous section, the idea is that if you’re going to have this entity that is going to do these after action reviews, if you will, that making sure that people are following the same script, ahead of time simplifies that review process also creates a self improving feedback loop, if you will. I kind of got the same impression that way. I do agree with you that process is part of it, but if you don’t have the right people you’re dead anyway. Right.
Scott Sarris (39:57):
Now. It does have value that to normalize the process and specifically categorization as enough is, notably wanted as much of that same format as possible, that you can see through it more easily. Process does have an impact here as a collection of data in the enrollment process, but the people community.
John Verry (40:20):
Section Seven, right? Improving detection of cybersecurity vulnerabilities and incidents on federal government networks. It was interesting to me that this one was specifically to federal government networks where they didn’t make that same clarification. What were your thoughts on this section?
Scott Sarris (40:35):
Well, the executive branch federal entities I think would benefit from EDR capabilities quite well. I didn’t see them extending in to the military side or the non executive branch side, because I think there’s probably a little more worry that you could subvert the tool set to undermine the military posture. My thought is that maybe that was in their head, you saw this in the various from the very early days of antivirus, right? Anti-Virus was going to be the panacea of protecting our desktops from all things bad. What we found was, occasionally someone would figure out a way to subvert the antivirus and actually do bad things to the desktop using it as an attack vector. That’s kind of, how I interpreted, that maybe there wasn’t a level of comfort with Ida, that pushed him to go beyond the federal civilian space.
John Verry (41:38):
That’s a really interesting perspective that didn’t even occur to me. It makes some sense. I thought it was interesting that they were explicit about EDR, I suppose, thought it was interesting that they were explicit about cyber hunting, which is, one of those things that everybody talks about, but I don’t know how effectively it’s done anyway. It’ll be interesting to see if they can figure out a way to do it effectively.
Scott Sarris (42:03):
Well, even this moderate baseline has a capability that it’s supposed to kick off when you find evidence of an attack or a true incident within the organization. You go back and look for things that have gone bad within the organization who do some hunting. It’s not necessarily driven as a normal exercise, but it’s still there. I think it’s a good thing. I don’t know. I would rather find out before it happens and instrument it on the front end and find it on the backend, but it is a viable security control and more organizations should be doing it, particularly when they have evidence of some form of an incident, especially a critical type incident within the organization. I think it does. It is worth it’s time to go back through the organization logs and other information and look for evidence that this has been, this is occurred well before. Look at incidents that have occurred in the organization, used to say that it took over a year to detect a true incident. I think that if people did take the time to go back and hunt, maybe that number would be shorter.
John Verry (43:14):
I would agree with that. It’s also interesting to me when I read this section, I was thinking about how it relates to other sections and I think strong advocates of Zero Trust would argue that if you’ve implemented Zero Trust properly, that the value of cyber hunting goes down, right. Because we’ve effectively white listed all communications. Be interested.
Scott Sarris (43:38):
Zero Trust is a really great goal, but at some point there has to be some trust might my desktop of my administrator, hopefully I’m coming from a trusted device when I launched my session and gain access to the administrative console like citizens, for example. But so many times what we see is those administrator accounts are the ultimate target, right. Specifically for crypto locker type of attacks. For me, I think you should go back and go hunting for, “Hey, did somebody use that account? We saw somebody hit that account eight or 10 times. We’re going to classify this extreme incident. Go back and look, you might find something interesting. Should it be necessary? Probably not. But, we can control technology to a great deal. Can’t necessarily control people to the love we want. Oftentimes that’s where the failure, right?
John Verry (44:37):
Yeah. The same, I mean, you can’t go wrong with a belt and suspenders approach and correct.
Scott Sarris (44:42):
Correct. That’s why so many security people wear a 10 foil hat, right. [crosstalk 00:44:48]. Make me feel better.
John Verry (44:52):
We finish with Section Eight, improving the federal government’s investigative and remediation capabilities. Any thoughts?
Scott Sarris (45:00):
Wow. I don’t know that the federal government needs additional authority to do investigations in this space. I thought when I looked at and have seen them work in this space before that I thought they had the authority they needed. Maybe, this links back up to the public private partnership concept at the beginning where we want to share information from the private sector, with public entities, for purposes of aggregation and so on. Maybe that’s the purpose here. At least, that’s kind of how I was starting to understand it.
John Verry (45:39):
Yeah. I was thinking the same thing. My favorite, I like the section, because I’m an old same guy, skinny security, information event management guy. I like the one section here that’s highlighted right now where they’re, they want to be more explicit with the requirements for logging, because I think way too often, what happens is people turn on logging systems and they think, “Oh yeah, we’re protected. We’re getting logs from everything.” What you find out is that they’ve got logs from the system, but not a critical application on the system, or they have logs for the system and the critical application, but they’re not gathering the right event types from that log. I think this idea of getting people to understand that you’ve got to match the system, the application and the event type from each of those, to what we’re trying to accomplish with logs is valuable, biggest. The vast majority of people I’ve ever spoken with don’t really get it.
Scott Sarris (46:33):
No, I agree with you. I think the protection log information is, is vital. You should never rely on the host system itself to collect and protect the logs. I think that’s a given here, the encryption through consolidation, at some point has to be to protect its integrity during transmission and make sure it’s not infected on the host, but too often today, John, we still see organizations failing the log broadly in the organization. I heard somebody say, not too many moons ago that authentication and authorization is the new perimeter. We have to identify everybody, and that becomes a common mechanism to identify who we’re working with, right. If they’re no longer behind our firewalls and so on, from the outside edge of our organization, many cases and still we see organizations fail to adequately log their authentication mechanisms, or they do just Microsoft side and they fail at the application side. You go into a hack and it’s they broken on the Microsoft side. What did they do after that? Gosh, we don’t know. We don’t log any of the applications where our critical data is. We really don’t have any clue what they did there, but it’s all gone.
John Verry (47:53):
Well, one thing we should have been nicer here. I would love to be a fly in the room when they’re writing things this would be whether or not, they talked about being more explicit here. The guidance that I liked, I would have loved to have seen was, any system which is relevant, which is any system that stores processes or transmit information of import. I think that’s always a good test to use. Right. If data is traversing a router in that war firewall and that firewall router is that the administrative logs to that need to be kept. Right. Because we don’t know what someone can or can’t do to block that information from getting to where it needs to get.
Scott Sarris (48:29):
I would also like to see some prioritization of areas like administrator access, privileged access management of engineering workshop. See, we could find some level of prioritization there, specifically, for those admin accounts across the space, an admin operating system.
John Verry (48:51):
I guess, they’re always trying to balance things when they write this. But I think on par and it sounds as though you agree with me, I think on poor, I was, and again, I’m a laissez faire guy, but I was impressed with the document overall. I thought that the ideas behind it were good. I thought that there was an intended message beyond what was explicitly said. I think that got through and I think it was well done. I was left with a positive impression of what we’re trying to accomplish here.
Scott Sarris (49:18):
I like you was quite impressed with the document. My interpretation was one of, I kind of read it as executive guidance, setting expectations from the executive branch to the rest of government, on to the agencies, on what their expectations were to move them out of a paradigm that clearly is not working. To drive that into the private sector specifically in the critical infrastructure space. I thought it was bumpies.
John Verry (49:46):
Me too. We’re going to find out right now folks how busy Scott’s afternoon was, because I only sent him our notes for this conversation earlier today. I never, I don’t know if he ever got to the bottom of it. Do you see the did you have a chance to prepare for the question I’m about to ask or I won’t ask it if you didn’t.
Scott Sarris (50:05):
Go ahead and ask, I don’t know.
John Verry (50:07):
He looks panicked folks. I’m just going to let that, anyone who’s listening, he’s got to look of sheer terror in his eyes. All right. We’ll go.
Scott Sarris (50:16):
Skill set not for every consultant.
John Verry (50:23):
All right. We’re going to say, we’re going to figure out how busy your afternoon was and how good a tap dancer you are is, what we’re going to figure out. What fictional character or real person do you think would make an amazing or a horrible CISO? And why?
Scott Sarris (50:39):
Let me see. One of my favorite characters was John Wayne.
John Verry (50:46):
Scott Sarris (50:47):
Yeah. I think he would have done really well in the physical security space. But probably not so good in logical security space, his methods may have been too abrupt. The CISO over the years has had to go from the person who says no all the time. Right. Who used to protect things by simply saying no all the time to being the person who says, “Yes, but you have to do it in a manner that’s consistent with our policy.” I don’t think John Wayne would have been able to make the transition right. To do something kind of off the coffin. You might’ve been shot in the photo or something. I don’t think that’s an appropriate response to the season today.
John Verry (51:30):
What was the movie? He did an Iwo Jima, right, was one of his movies. Sands of Iwo Jima.
Scott Sarris (51:40):
Something like that.
John Verry (51:41):
I can’t remember.
Scott Sarris (51:41):
Did you loose your-
John Verry (51:45):
Yes. What was that? What was that? Was it? That wasn’t Shane, was it?
Scott Sarris (51:50):
John Verry (51:50):
That he designed.
Scott Sarris (51:51):
That was another.
John Verry (51:53):
James Coburn might’ve been Shane, anyway, my uncle who’s really more like an older brother to me. He’s only six years older than me, was a big John Wayne, Clint Eastwood guys. When I was a a little kid, I used to end up watching a lot of the old John Wayne movies. Now you have me thinking I should go back and rewatch a couple of them, at least. You tap dance well there, Scott. Because, I know you weren’t prepared. That was off the cuff folks. That’s pretty good.
Scott Sarris (52:16):
I’ll tell you how-
John Verry (52:17):
[crosstalk 00:52:17]. That was one of the best answers I’ve ever gotten off the cuff. Congratulations. All right. Awesome job today. Thanks. I really enjoyed the conversation. If folks want to get in contact with you how would they do that?
Scott Sarris (52:34):
They can find me @aprio.com. I’m one of the Executive Vice President in the Digital Technology and Cybersecurity Space. We provide consulting, consulting organizations that need to improve their security posture, taking them from the assessment, a strategy and all the way through execution.
John Verry (52:54):
I can speak personally to the competency, the folks over there. We do a lot of work with the attestation group, Dan Schroder’s group. Dan’s been on the podcast, the folks at people, they’re stoper or smart people, and they are trustable and they’re nice to work with. So we, we a lot of our clients use them for the attestation side of the work that we do together.It’s a great team over there. Scott, man. Thank you so much. I appreciate it.
Scott Sarris (53:21):
Absolutely. My pleasure. I look forward to doing it again someday.
You’ve been listening to the Virtual CISO Podcast, as you’ve probably figured out we really enjoy information security. If there’s a question we haven’t yet answered, or you need some help, you can reach us @[email protected] And to ensure you never miss an episode, subscribe to the show in your favorite podcast player until next time, let’s be careful out there.