Each year at our Privacy & Security Forums, we run a session called “Hackers Versus Executives.” In this session, we ask a hacker to cause mayhem and then stop at different points in the attack to ask executives what their responses are. This year, we attacked applications, including containerized and serverless applications. Two months ago, we closed our London Forum with our Hackers Versus Executives session. As a throwback, here’s a look at my top 10 favorite responses that our executives gave, both in London and Washington, D.C. (Note: At times, responses were edited for brevity.)
- AMY: Shaun, as a CISO, how do you prioritize application security with everything else you must do?
SHAUN: I like to take a risk-based approach in general, in which I enumerate all of my security risks, rate them, and then really focus on the ones with the highest real risks. Having said that, application security, I find, tends to fall or end up at the top for several reasons, primarily because it’s a much harder problem to solve. In network security, we have lots of good tools and lots of experience in that space. Application security is constantly evolving the way we’re developing applications. It’s very people-based: the people who can make mistakes and the developers who can make mistakes. It’s very labor-intensive, and we tend to dedicate a lot of resources to application security.
- AMY: What are you doing to defend against an exploited vulnerability?
KELLY: We’ve prepared for it. The bigger problems arise when you are unprepared. So we would do some threat modeling and some scenario planning and runbooks. We would have the people and the decision makers ready for when we encounter an issue like this — hopefully nothing as bad as this. But the key is that you have to be prepared for it and plan for the eventuality of it happening.
AMY: Are you ready to pull the plug on this app? Are you ready to go that far?
KELLY: Absolutely, yes, completely.
- AMY: Andy, what’s the role of developers in security? And do they even care?
ANDY: We try to make them care. You make them care with your security awareness campaigns and the whole culture of security and why it’s important. I think one of the problems is that they probably do care, but they’ve got conflicting messages. So they have someone who’s their line manager who tells them all about the time-scale and to deliver to a certain point of competency, a certain point of functionality by a certain depth, so they’ll make compromises to reach that because that’s their priority. We need to make sure they realize these are quality issues, as well. You can’t deliver that functionality without the quality, because that’s going to endanger the organization and our reputation and effectively their bonus and their jobs eventually. So it’s about having those conversations and bringing that security message to the very front line of developers so they realize that the company cares about more than just the functionality and the date.
- AMY: So, Kris, how concerned should the average CISO be about the basic exploited vulnerability scenario?
KRIS: So my question is, why did this happen? And so from a CISO’s perspective, obviously, you should be worried about just basic hygiene. This shouldn’t have happened. You might need more than just traditional intrusion detection tools to detect this attack and also just to double down on vulnerability patching, because at the end of the day, that’s how these bad guys are making their way through the organization and executing exploits on vulnerable systems.
- AMY: Guy, the next time that an app is exploited and the customer data is stolen, should the director of AppDev be fired and not the CISO?
GUY: I’ll not accept the premise of the question. If firing somebody is your primary response when you get breached, then you’re guaranteeing yourself that good security people will not want to come work for you. This is really about broad ownership and clear responsibility. If your primary action is to fire somebody when something goes wrong, people’s natural reaction would be to not take ownership because then their job is on the line. I don’t think either of them should be fired in case of a breach as much as they should pull together and inspect why this happened, be transparent about it to their users, and internally, and talk about how to set up a system so that it doesn’t happen again.
- AMY: What do you think practitioners wish their execs understood most?
GUY: There’s only so many hours in the day. If you want me to do everything, I can’t do anything well.
SHANNON: I think that everybody would like to see executives understand the difference between an exploit and hygiene. Not everything is useful for a hacker, and prioritizing as if it was is very detrimental to creating value for your organization.
SHAUN: I’m going to turn the question around. I think it’s the wrong question. I think the question is: What do the security professionals need to know about the execs and what’s important to them? You’re not going to be able to have a successful security program unless you know what motivates the execs in your company.
KRIS: I’d say it’s that compliance does not equal security, especially when it comes to privacy protection. I don’t think that they realize complying with HIPAA is not the same thing as actually having security protections in place.
- AMY: Shannon, how are you defending apps today?
SHANNON: Defense has become an active defense capability for us. The way that we look at it is very game-theory-based, and ultimately what we’re trying to achieve is blocking out bad guys by getting to the vulnerabilities and weaknesses first that have the most impact on our organization, essentially blocking out the exploits before somebody else can do something bad with them.
AMY: And you have how many people on your team?
SHANNON: I probably have one of the largest red teams in the world. I have about 45 people who are dedicated to finding and exploiting before the bad guys do.
- AMY: How would you defend against this serverless attack, Shaun?
SHAUN: I can answer that a couple ways. First, I’d almost go back to fundamentals. And this has nothing to do with the fact that this is serverless or not. The original entry was a known vulnerability. I think the key thing for me is having an effective vulnerability program. That involves really three things. One is having some way to identify when something really is vulnerable. As much as we like to discuss zero-days and they’re sexy and everything, the reality is that most of these attacks that succeed are not zero-days. They’re vulnerabilities that have been known for a long time. You have to then figure out who to assign these vulnerabilities to. Who has to fix the code and do the work? And then you have to have a mechanism that actually holds people accountable for doing that.
- AMY: Kelly, a new critical vulnerability is announced, and it impacts your applications. How are you going to manage that?
KELLY: You need a cross-functional group of people to analyze the impact of that vulnerability across your whole estate. What do we need to do in terms of patching all the different layers? How fast can the cross-functional team respond? What mitigations can you put in place, and in what time frames? Is there anything you can do instantly? Or what can you plan out in the weeks and months ahead?
- AMY: Arnaud, what have you done ahead of time to protect these very vulnerable applications?
ARNAUD: So, it’s a set of measures that are on the technology side but also that need to go outside of the technology. The technology side is very classical, not easy. First, you need to know what you have to protect. You need to know the list of the applications you need to protect. So when you are in a larger organization, for which a number is thousands, for sure, it’s more complex than for a small organization. When you are entering with such an amount of data to protect, you need to identify the criteria of prioritization. So, for example, maybe you can consider the externally facing applications instead of the ones that are purely internal. You have to make a link between your IT asset, your application, and the business process you are supporting. And it’s a long journey, but this is how you go beyond IT in order to bring this discussion to a board discussion.
Are these the same as your favorites, or were there others that you liked better?
Thanks again to my panel of executives and my hacker: Arnaud Brenac, Shaun Gordon, Shannon Lietz, Kris Lovejoy, Kelly McKillen, Guy Podjarny, and Andrew Rose. I’d also like to extend a huge shout-out to my research associate, Kate Pesa, who made this blog possible by transcribing both events.