Index OnAir: Staying Safe at Home When Security Threats Aren't 6 ft Away

Shardul Shah: What basic hygiene do you recommend to help keep users safe?

Dave Merkel: Sing along if you've heard this before: multi-factor authentication, single sign-on, backups, and patching. We’re still telling people that in 2020. These are the same things I was telling people pre 2006. In my opinion, we should be past that; these should be table stakes to even open the doors of your business.

Adrian Ludwig: I would add two things to that list. The first is to keep it simple. So many people buy a laptop and then extra antivirus and anti-malware products. Instead, get a Chromebook, or an iPhone, or an Android device. The modernity of those operating systems fundamentally changes the security profile.

Secondly, don't ever choose your own password. Any popular browser has a built-in password manager that will recommend a password for you. Click yes, and move on. One of the biggest compromises is duplication and reuse of passwords, but if you use passwords protected by Google you’ve got the best security team in the world using their risk engine to monitor on a regular basis.

Shardul: What are the net positives and negatives of trusting Google?

Adrian: In security, there is always risk. There absolutely is a risk that Google gets compromised and all the passwords in the world get exposed. But if that does happen, Google's going to know, and they’re going to automatically reset all those passwords. It hasn't happened in roughly 10 years that they've been providing that service, and there’s continued incremental and increasing investment in protecting that service.

I firmly believe that the reason security sucks as much as it does is because it has been highly fragmented and cost-competitive. The consolidation of the tech stack basically increases the incentives for companies like Amazon and Google and makes the economy of scale work for security. The benefits of having your infrastructure running on those platforms vastly exceed the risk.

Shardul: How have threats changed as a result of the pandemic, and how are B2B customers responding to that?

Dave: Bad people use bad times to do bad things. The number one problem for our customers is still business email compromise, and in March we saw a 12% uptick in those kinds of attacks across our customer base.

I’d expect April to increase again. The bad guys are essentially conducting marketing campaigns trying to influence you to click or download something. We’re at a highly emotional, sensational time, and that creates a great screen and cover for them. We’ve also seen a continued increase in attacks against customer cloud infrastructure like Amazon Web Services (AWS) and Google Cloud Platform (GCP), and that's because more customers are using those environments so attackers are following them.

Adrian: Working from home has changed the basic topography of our tech’s surface from a user endpoint standpoint. We have split tunneling enabled for our developers. A lot of the web development work is producing web servers that spin up and spin down on their client workstations — not to give too much away! We're trying to figure out whether anybody is probing that, though we haven’t seen anything yet. We have seen a strong uptick in bug bounties, and professional researchers having more time, but we haven't seen direct endpoint manipulation.

One of the big challenges around Google services was that people moved around a lot, so building threat models and risk models based on proximity was difficult. But right now, there's nobody connecting to any of my consumer accounts from anywhere other than this house. That's something a risk model should be flagging, catching a lot of indicators that were previously hidden in the noise.

Shardul: How do you secure users’ physical machines when they're not behind the corporate firewall?

Dave: Our security model at Expel was built for that from the ground up. There's an established concept called zero trust in which you make the assumption that everything your end-users rely on can’t be trusted. It means you authenticate everything using multifactor and single sign-on as much as you can. You secure aggressively against the endpoint for that user, with AV and maybe some endpoint detection and response solution like CrowdStrike or Carbon Black. If you're a newer business you can build this zero-trust model from the ground up.

Shardul: Some companies have been hit really hard and had to scale down significantly. What security issues should they prioritize?

Dave: You’ve got to get into a different mindset and focus on the fundamentals we talked about at the beginning. And be realistic. If you’re a hotel chain that has lost 80% of business overnight, you’re not going to have the luxury of sitting about worrying about nation-state threat actors, but you want to still be effective if some ransomware shows up on a Tuesday. I’d also recommend that if you’re a CISO in an organization that’s badly impacted, build on your business relationships. Have an enabler mindset, and lean on other organizations or on your CIO or CTO so that you know you're not alone trying to fight those battles. You don’t want to be all alone in the night.

Shardul: What's best practice in identifying and prioritizing a business’s most critical functions?

Dave: When you first come into a business, you should have conversations to find out the most crucial function for each piece of the company, and how different scenarios impact those. It’s highly likely that a global pandemic and the market disappearing overnight was not on that list, at least not to this extent, so revisiting this is step one. What was a priority in December might not matter at all right now. So don’t just rely on your own perceptions. Have some tough conversations about risks and get your priority list down to the bare minimum.

Shardul: How do you communicate with the executive team about product security?

Adrian: Management’s role is not to be your dad or mom, or whichever of your parents is the one that tells you what you need to do. And our role is not to be your priest, where you come and tell me all the bad things that you've done and expect me to absolve you of your sins so you can continue doing them. Our role is to be a trusted advisor, where someone can ask us if they don’t know the right thing to do. We help them — and then they fix it themselves.

If bugs aren’t getting fixed, that's not a failing of the security team — that's a failing of the engineering team for not adopting the security practices recommended by their CISO. If there’s still a problem, either the CEO should be fired for not following those recommendations, or the CISO should be fired for making recommendations that aren’t appropriate. Despite that, it still seems to be the most common model in the industry that the CISO makes recommendations and the executive team doesn’t follow them.

Shardul: Is it possible that companies eventually won’t need CISOs anymore?

Adrian: It is my belief that in the long term, the CISO role doesn't exist, the same way ‘chief electrician’ doesn’t exist. Most of the functions of a CISO will be part of the platform provided by whoever runs your underlying infrastructure. And frankly, we’ll be better off for that.

It helps with the scaling. In aggregate, cloud providers are all seeing growth, and that gives them the ability to weather almost any kind of disruption and still invest in security at a very high level.

Shardul: Dug Song at Cisco said you can change the risk profile of a business by inviting everyone in the organization to participate in the security model. What other processes make teams more collaborative and more secure?

Dave: We put a lot of emphasis on the concept of transparency when we started the company. It’s about having good judgment, but also about risk-taking and saying that it’s OK for mistakes to happen. People need to be unafraid to say when there’s a problem so we can deal with it actively, rather than exposing ourselves or our customers.

I know from my experience at other security startups, and knowing executives at other startups, that they sometimes have really crappy security. We didn’t think that was right, so early on we put a heavy emphasis on walking the walk. We hired a security leader right from the start who reports to me. They educate the board and they hold me and my team accountable. It means it’s not just the CISO raising these issues — it becomes ingrained in everything we do.

Shardul: What are your regular security habits for yourself, your family, and your home?

Adrian: I'm not very paranoid. I once told a journalist that I left my front door unlocked most of the time. I had to get home and make a few changes after that. But I think fundamentally it comes down to awareness of yourself and your situation. Pay attention to what’s going on around you, both professionally and personally. Listening is probably the best offense and defense.

Dave: Paying attention resonates with me too, including world events. The likelihood of desperation-based physical crimes is significantly increased right now. On the more technical side of things, something we tell our employees is that they should expect to be targeted.

Shardul: Are there any more positives to come out of the experience we’re all living through?

Adrian: We’re finding our employees are more productive around micro-tasks, probably because it's a mindless form of escape. It means there’s a big uptick in the kinds of hygiene that we’re not usually interested in. I mean everyone’s in pajamas, but at least hygiene is going up from a technical standpoint.

Dave: We’re living through something very scary, but there’s a positivity that we’re going to get through, that we will survive it. There’s a resilience that comes from surviving tough things. I’ve also really enjoyed watching how people have been able to lean on each other. Last week we did a ‘take your kids to work’ day, online. Someone read them a story, they did a dance class, and our CISO Bruce Potter taught the older ones how to pick locks. I don’t know how popular that’s going to be, but I loved the amazing energy. It speaks volumes to how resilient and positive humans can be when they need to.