Resources       Podcasts

Ep. 1 – Effects of Compromise: Incident Recovery and Data Sharing

Michael Anaya
palo alto networks

Steve Rivera, CRO @ Logically

Michael F.D. Anaya, Global Director of Attribution @ Palo Alto Networks

September 18, 2023 | 55 mins

Starting Season 2 of Logically Speaking, we welcome a special guest, Michael F.D. Anaya, Founder of decodingCyber and the Global Director of Attribution at Palo Alto Networks. This episode is packed with critical information every business should know as Steve and Michael dive deep into remote cyber threats, incident response, legal ramifications of a breach, and the importance of data sharing after a compromise. After enjoying this episode, you’ll understand what your business has that threat actors covet, and how to better prepare for and respond to potential attacks.

Listen wherever you podcast and share with your networks.

Key Takeaways from the Episode

  • Understand threat actors and their motivations for cyber crime
  • Learn the effects of compromise to businesses in every industry
  • Discover tips on how to effectively mitigate attacks
  • Find out why data sharing is critical after any compromise

 Logically Speaking Logo

Effects of Compromise: Incident Recovery and Data Sharing with Michael Anaya at Palo Alto Networks – Episode Transcript

Welcome to Logically Speaking, where we discuss the latest trends and challenges in cybersecurity with top experts in the field. Today, you’re going to learn how to protect your data safe, how to keep your operations sound, and your business ready for whatever comes next.

This is Logically Speaking.

STEVE RIVERA

Today we have the opportunity to speak to Michael Anaya.  Michael is a techie who has been in cybersecurity for over two decades.  He was forged in technology as a software engineer and he set out to make a difference.  He joined the FBI as a special agent.  He was with the FBI for 14 years, mainly investigating cyber nation state and criminal  bad actors.  He later decided to venture back into the private sector and has held leadership positions  in several cybersecurity startups, founded the cybersecurity awareness company called  Decoding Cyber.  In addition, he’s the director of one of the premier cybersecurity companies in the world,  Palo Alto Networks, and he runs their global attribution program.  Michael’s an accomplished speaker, as you’re going to get a chance to hear from right now.  He’s had over 500 different speaking appearances under his belt.  He’s designed and delivered technical and business-centric presentations for large groups,  for C-level board of directors.  Michael, thank you so much for joining us today.  I shared your bio, but maybe you can share for our listeners a little bit about your  experience and what got you started in cybersecurity.

MICHAEL F.D. ANAYA

Of course.  Well, thank you for having me.  I really appreciate the opportunity.  It’s interesting.  I always think about when people comment on my speaking experience, I always want to  go out on stage or start a podcast like this awkwardly.  So they’re just like, what?  He’s not good.  It’s horrible.  I haven’t done it yet, though.  I’m debating to do it in the future.  So as you mentioned, I started in tech.  I mean, I was in software engineering initially.  I hated it.  It was the worst job in history of jobs.  I did it at a company out of Dallas, Texas, with banking software.  No joke.  A second week of training, I was sitting there and I’m like, oh, wait a minute.  You guys want me to code all day long.  I did not think this through when I was in college.  It was interesting.  So I was doing that for about three years.  There were some components I liked about it, but it was challenging because I wasn’t built  for it.  So during that timeframe, I was applying for the FBI.  It took me about two years before I was given access to be able to actually formally go  through the hiring process.  It’s actually multifaceted, very complicated.  It is probably one of the most stringent job application processes that is known in history,  probably.  And so it was very challenging.  But I got through it all.  And it was interesting because at the time this happened, I thought this was very thoughtful.  And it was to a degree, but then fast forward, my tenure in the FBI realized this wasn’t the  case.  But when I first started, and the FBI started in Los Angeles, California, and I was on a  cyber squad.  And what that basically means, a cyber squad is a group of people who are looking at criminal  or nation state actors, bad actors.  That’s what their focus is on.  And so I started on a cyber squad.  And I thought, oh, they clearly put me in a cyber squad because of my engineering background,  which was pretty true.  But fast forward, I found out a little bit more how the whole process worked years later  when I did a rotation or an opportunity to transfer into another group within the FBI.  And I was running an operation in the transfer unit.  This is an administrative function within the FBI.  And they transfer people as the name sort of indicates, different parts of the US.  And so in that unit, I started seeing how the process actually worked.  And so I kind of lucked into being on a cyber squad.  What tends to happen within the FBI, not to get into too much administrative nuances and  boringness, they look at what the office needs at that moment in time.  So they span, they have an applicant poll, people who were selected for the special agent  role.  They then assess what are their needs across the US, and they filter people out.  So we’ll say the New York office needs four people.  LA office needs eight.  They send four to New York, eight to LA.  There may have been a cyber person who went to LA, and I was that person.  Then it gets to the LA office, and then LA is like, okay, we have all these different  squads or teams or groups of people.  There’s a gang squad, counterterrorism squad, and a cyber squad.  Let’s look at these eight people.  Oh, there’s a happens to be a need for a cyber agent.  So then that’s how I got slotted into it.  But hypothetically, if during this exact same timeframe, there was zero need for a cyber  agent, I could have been on a gang squad.  And then you wouldn’t be talking to me today.  Because I was.  Wow.  So experience dealing with gangs.  So very, very serendipitous.

 

STEVE RIVERA

You know, it’s funny.  I’ve done some work with former FBI agents at different companies, and they have a similar  story and how they got into either the cyber crimes unit or the crimes against children’s  unit, which was very much done online.  And it was more of a personality and proclivity to technology, but not like technology wasn’t  the forefront.  And they, they happen to be in those, those teams, like you said, and then the cyber crimes  unit kind of called on them.  So you’re, you’re, it’s very interesting how you kind of got into that, you know, kind  of line of work.  So let’s talk a little bit about cyber and some of your opinions about that.  So based on what you know, and you know, I asked most people this, what industries do you see that invest the least when it comes to cybersecurity, right?  Our listener base is very broad.  And yet oftentimes I wonder what are some of those industries that need further investment in cybersecurity that you’ve seen?

 

MICHAEL F.D. ANAYA

I think most people in the cyber community kind of are aware of some of the major elements in play here.  So healthcare is an industry that’s starting to become much better, but historically hasn’t  necessarily invested the amount of money or resources that they should.  I’ll just start there and I’ll focus on that one.  Sometimes it’s counterintuitive, but it makes sense because essentially those industries,  if you think about it, their core competencies help the people get better.  So they want to spend money in research and development as it pertains the medicines to their new medical procedures to their people, physicians, the people whom are actually there  to save our lives.  So that’s what their focus is on.  So any industry whereby the focus is primarily somewhere else, and so medical tends to be one of them, those are the industries whereby there isn’t an ample amount of focus when  it comes to cybersecurity.  And many times when you hear about in the news, various different data breaches or ransom or attacks, a lot of times it’s these industries.  So, it’s going to be medical.  Another one is also education, similar concept there, that these again, industries are focused on other things that make a lot of sense.  And so from a layperson, they may look at the data breach and kind of scratch your head like, how is it that this hospital has to deal with ransom or shouldn’t they have known  better?  Shouldn’t they have better protections in play?  But then we spend a little more time thinking about it.  It kind of makes sense because again, their focus is on trying to ensure our safety.

 

STEVE RIVERA

Yeah, that’s a really good point.  You brought up healthcare. You know, one of the things that I’ve seen in my past has been the challenge of the interconnectivity  of healthcare when it comes to medical devices, when it comes to nurses stations, when it  comes to the patient care, right, the doctors that are really the most high-powered users,  access to most patient privacy records, but also want the least amount of restriction.  And you kind of put that all into one environment.  It becomes very challenging for a cybersecurity professional, CISO, CIO, Chief Privacy Officer to kind of protect all that.  Do you have any recommendations for that industry on what to invest in, like to get the biggest bang for their buck?

 

MICHAEL F.D. ANAYA

Biggest bang for their buck.  I don’t necessarily know if investment in one particular area would be the solution.  There’s so many different components in play there.  And it’s fascinating you mentioned that.  There’s some anecdotes I’ll share with you, and I’ll go back to kind of addressing your  question because these anecdotes, I think, are pertinent to understand the threat.  The main component with cybersecurity are remote threats.  And there’s a remote threat in play.  When I was dealing with many of these organizations in the past, one industry, a medical community, they had a group of physicians and physicians were really frustrated with IT in their infrastructure, the organization.  So the frustration was IT, they wanted to build a patient portal and allow patients to  have access to it.  IT wasn’t responsive, so they decided to do it on their own.  So they built their own database.  In Chopsie, there would be no issues whatsoever.  A group of physicians building an administrative database clearly will not be a problem.  Unfortunately, it was.  There was literally no security in it.  And so threat actor found this unprotected database and grabbed all the data.  Another story dealing with a very different threat, a physical threat.  And this is something that you typically see in movies and you don’t really hear about.  But there was another data breach whereby an actor just literally walked into a hospital, found an open kiosk slash computer, plugged his thumb drive into it, and literally pulled  data off it.  So I highlight these two stories because it really covers the complication of your CISO  or security person, like how do you protect against everything.  So generally speaking, I have a few pieces of advice in those situations.  The main component is, and I’ll mention this several times probably throughout our conversation, I really encourage organizations to think like their adversary. So it may sound simple, but if you look at those two situations, what was the common thread, Steve, from your perspective that you saw in those two situations? You’re the bad guy. Yeah, I mean, the ease of, there were no countermeasures to stop that bad actor from gaining access.  I mean, it was quite easy to just kind of gain that access. There was no, I mean, to me, there were multiple layers of security countermeasures that could have been put in place already to stop that.  It’s not one thing, it’s multiple things.  Exactly.  And so that’s one component.  So there could have been countermeasures, but in those situations, one of the things I observe as a person who’s watching this, again, thinking about from a threat actor’s perspective is their desire.  They want something that they don’t have that someone else has.  At the core element when it comes to hacking, the core underlining drive is desire for something you don’t have.  Another term for this is theft.

Someone asked me at some point in time, do you think we’ll ever get rid of cybercrime?  And I’m like, absolutely not, because we haven’t gotten rid of theft.  And no matter what we do, we’ll always have people who want something that doesn’t belong to them.  There will always be thieves.  And because of that, there will always be individuals that are bad actors operating online trying to steal something that doesn’t belong to them.  So that will be with us spanning time.  That’s one critical point of people need to be mindful.  The threat will never go away.  Period.  You will never be able to build a system or design protection that will always secure  you, you’ll constantly have to evolve.  The threat will evolve, you have to evolve with it.

So one of the things I talked about is think like your threat adversary.  Along those lines, one, I’ll give you four examples or four things you can do along those lines to sort of help build that, to sort of exhibit that skill set, you need a higher personnel first hand experience in dealing with the threat.

If you hire someone who has no experience with threat actors, it’s going to be hard for them to truly understand and materialize what these actors will do, how they think,  how they’re going to engage, and the sense might just share with you is that they’re  constantly going to evolve.  If you hire someone who has dealt with threat actors, there’s a much higher probability they’ll know how they think.  So that’s really quite critical.  So that’s one.

Another one is implement effective employee training program.  In both of the situations, if you think about it, if the employees were trained properly,  none of those things could have happened.  So let’s look at the physicians.  The physicians gone through a proper training program.  At least one of them probably would have said, hey, we shouldn’t be doing this.  We have no business in putting a server out here or database that other people can access  without controls.  We need security.  Remember our training?  Yeah, you’re right.  We should do it, Bill.  We need IT.  I know they’re frustrated us, but we got to get them involved, but they need that training.  Many times, employees have strong initiative and quite ingenious as they’ll find a ways around things unless you give them boundaries and that training comes in to give them the  boundaries and the tools they need.

The third thing is I rely on software solutions to assist in identifying threats.  Again, let’s look at the second example I’ll give you about person walking in the hospital.  You had proper security measures in play, such as logging in to a kiosk or computer system with a password, it could be a password, it could be biometric.  Some system that enforces you have to have authorization to be there, that would never  have been possible.  But in this situation, that hospital didn’t have that.

The fourth and final thing I can give you in this regard is ensure your partners are  reputable and prioritize security.  This deals with a supply chain threat that is quite common and we hear a lot about the  news when you deal with various other industries or partners, you need to do due diligence  and ask them questions.  What do you do for security?  Do you prioritize it?  Give me some examples.  Research them.  Spend time really ensuring those partners you do business with prioritize security because  you’re depending on their systems.  Their systems will be interconnected with your own systems.  If you have, if they have data breach and they have a bad acting in their system, there’s  time and time again story after story, we’re all of a sudden, now you are dealing with  those consequences because your systems are interconnected.

 

STEVE RIVERA

Yeah, those are great. I want to go back to your first one.  When you talk about hiring personnel that have had experience with threat actors, you  probably read the same articles I read, there’s a huge shortage of skilled cybersecurity people  with experience.  So there’s probably even less folks who’ve actually had experience interacting or defending or even working with that kind of space that you talked about with threat actors.  Where would you recommend people seek?  Are there universities that are specializing in this?  Are there companies that seem to be good training grounds?  I mean, because we’re all vying for the same resources.  Or is there a way to get that experience without actually becoming a hacker?

 

MICHAEL F.D. ANAYA

Yeah, you don’t want to become a hacker.  That is not the right path to gain these experiences.  So there’s multiple ways.  What I’m envisioning in terms of, I’ll just talk about skilled and experienced, you touched  upon those terms, is focus on individuals who are skilled and experienced in this particular  arena.  You would be looking at hiring former federal law enforcement, like myself, who are operating in that capacity for federal agency.  There’s a multitude of individuals operating out there in this capacity.

Again, you don’t need to hire 2,000 of these individuals.  You really just need a handful and key critical positions in the organization because those  individuals can train other people they’re working with that can start percolating the  right thoughts.  When they’re in meetings, when they’re speaking to the board, when they’re talking to individuals  who lack that depth of experience, they simply can just talk about their experiences and  explain logically why they need to do certain things in order to secure that organization.  So you don’t necessarily need to have 2,000 of these former law enforcement federal officials.  You just need a few.

I don’t want to give you a specific number because this depends on the situation.  You need a few individuals with that depth of experience.  Those individuals can then give your whole team greater levels of guidance and perspective.  That’s what doesn’t normally happen.  Normally organizations are actually looking to deal with technical backgrounds.

That makes sense.  If I’m operating in a technical space, I think, oh, I need some of the technical background. And there is an emphasis put upon this concept I’m sharing with you, which is thinking like  your threat actor.  In my experience, the industry does cybersecurity all wrong.  Your focus is holistically on defense.  All we’re focused on.  When I go to conferences, when I hear expert speakers, they’re talking about the same thing, defend, defend, defend, defend.  Imagine watching a football game where you had zero offense.  You need offensive measures.  Now I’m not talking about hacking back.  I’m not talking about red teaming.  I’m talking specifically about how can you think differently in order to engage the threat  actor as opposed to constantly always fall back on defense measures?  What can you do to be proactive?  And one proactive measure is hire experts in the space who are skilled and have experienced  them with the threat actors and they can tell you how they think and how to prepare.

 

STEVE RIVERA

Yeah.  So, you know, one of the things that I’ve seen is, and in companies that I’ve worked with, we’ve hired from the military as well that have that experience, that offensive experience.  And then we use them in kind of that red team, purple teaming kind of internal red team that  will test the countermeasures, think like a hacker, use those techniques that they’ve  seen out in the field against their own organization to better enhance that.  So I appreciate you bringing that up.  Maybe shifting folks a little bit, you know, maybe you can share a little bit about what  you’ve seen from threat actor TTPs, right?  Their tactics, techniques and procedures that could help some of our listeners to consider  some of those things like thinking like a hacker, like you said, what are some of the  noteworthy TTPs that you’ve kind of come across?

 

MICHAEL F.D. ANAYA

They all vary.  In terms of like, I think there’s different technical elements in play, but because they  vary so much, I want to skip past the technical components and go more toward the more macro  focus.  One thing to think about is as an organization, many times I’ll talk to companies and they’ll  tell me, well, I don’t have to worry about this.  No one’s going to go after me.  There’s three elements to think about.

  • When you think about, do you have something of value like money or data?
  • And then what’s the level of access?  So those are three things.
  • You have money, you have data, and what is the level of access?  If I’m a threat actor, those are three things I care about.  If you’re an organization and you’re making money, you have something I want.
  • If you’re an organization, you have a lot of data, you have something I want.
  • If you’re an organization and I can access you, you have something I want.

So let’s look at that in terms of those TTPs.  If all those three are in play, you’re going to be a prime target.  So if you’re listening or watching this and thinking, oh, wait, I got all those things.  You are the person, a threat actor to go after.  And we’ll say you’re listening, you’re like, well, hold on.  I don’t have a lot of data and minimal money.  I just have a few computer systems out there I don’t really worry about.  But you have access.

When I was in the FBI and you read about this constantly, you have threat actors who target  infrastructure.  They can use as what’s called a hop point.  It means they can hop into your infrastructure, control it, and then launch the fairest attacks.  So you yourself have no, nothing of value from their vantage point, but their infrastructure  is valuable.  Now, whether it’s nation state or criminal, the attack now looks like you did it.  And so that’s going to be awkward for you to explain the law enforcement.  No, I had nothing to do with this, Mr. FBI person.  I don’t know how this happened because you had access.  Those are critical components that I think people need to think about, you know, whether  you’re a small business or your organization, then you make, we’ll say, you process me.  And like, well, I don’t really care about this, but they do because you still have those three things.  So I would focus on those three elements.  If you’re a business, ask yourself, okay, data, money, and access.  Do we have those three?

Now some might not.  You might have businesses that true.  They’re like, no, we’re a small regional restaurant.  We have one website and everything we do is cash only.  You’re fine.  You’re good.  You don’t have to worry about it.  So that’s majority of organizations won’t fall on that count.

 

STEVE RIVERA

Yeah, no, it’s a really great point just made.  I met with a CEO of one of our clients, about a $450 million company, and they are, they’re  not online.  They don’t do a lot of online business, but, but they’re in like shipping and logistics.  And it’s interesting that he said that one of the, one of his finance people almost was,  you know, serve, you know, almost sent a $200,000 check because they had been infiltrated  by a hacker that was monitoring transactions, spoofed an email from one of their vendors  and sent a dummy invoice with a brand new and said, Oh, our banking routing numbers have  changed send the payment to this.  And the finance person was just about to do it.  But because of the security awareness training stopped and said, this sounds a little fishy.  Let me double check, picked up the phone called the vendor and the vendor was like, no, our  bank routing hasn’t changed.  But it was with, you know, just that, that one.  Let me just double check that and they remembered the security awareness training that they had done, but it really is that you’re right, it’s, it’s that pervasive and it crosses multiple industries because it’s not sure.  Most people think, well, I’m not a bank.  And so I don’t have to protect myself.  And in this day and age, it really is about those three things.  I really appreciate you saying that.

 

MICHAEL F.D. ANAYA

Now, of course, and what you’re saying resonates extensively when I was working with the FBI,  even outside the FBI, I had multiple interactions with organizations who described exactly what  you dealt with.  I’ve worked multiple investigations tracking the bad actors behind those situations or  buy behind those criminal offenses.  When I left the FBI, I was still privy to companies.  There’s one explicitly the contact me exactly you described.  They were social engineered think the CEO needed $35,000.  The chief operating officer got a cryptic message, which was common for the CEO needed.  There’s a sense of urgency, which a lot of these messages have because they don’t want  you to think too critically about it.  She didn’t wire the money.  And then all of a sudden she thought more and more and more and like, wait, am I done  the wrong thing?  Panics calls me.  She was in tears and she was mortified that she felt prey to this.  She finally gets hold of the CEO.  The CEO was like, I did not give you that order.  So luckily, working with me, she was able to recover all her funds.  But it’s one of those things that far too many people fall prey to exactly your describing. That is called typically business email compromise has been around 10 plus years and that’s not  going away.

 

STEVE RIVERA

Yeah, no, it’s actually getting into like SMS now.  It’s funny.  A couple of weekends ago, I got a text saying from our CEO, Josh Skeens, this is my new cell phone.  This is Josh.  And he never texts me on the weekend.  So I texted the real Josh’s number and I said, Hey, did you get a new phone?  And he goes, not at all.  And I sent him a screenshot of the text.  And I said to him, do you want to have some fun with a hacker?  You know, I was going to text him, why do you need me to wire you some money?  Send me the bank routing numbers to see if you, you know, and it’s just, but you’re  right, people fall prey to that because the next email, the next text would have been,  Hey, I need you to send me, I’m sitting in front of or I need, you know, and it’s people  will fall prey to that continually, if not educated.  So let me ask you this, maybe you can kind of put on your, your back to the future kind  of mindset, kind of thinking forward.  What, how do you think the cybersecurity landscape will change over the next five years?  Right.  So much has changed over the last two decades, but like, how do you see it moving forward?  What’s going to be the next big thing, right?  We’re always thinking about that.  What do you think in your opinion, what do you think will be the next wave coming over cyber?  Five years from now.

 

MICHAEL F.D. ANAYA

Well, one thing I should have established impossible to guess, whatever I say, it will  be long, but just piecing together that, you know, you’re going to the nature of the question,  piecing together some observations I’ve made.  I can tell you what I think and I’ll tell you what I hope.  I think the threat actors will continue to grow and number and become more aggressive.  It’s because what I hope, I don’t think will happen.  I hope that organizations will develop greater levels of collaboration with government agencies  with each other and develop a rich sharing network.  So when threats affect your company, you share them with my company, I show other companies and we all begin to share with one another this threat intelligence.  And we also share with law enforcement because law enforcement is the only element in our example that can actually act on the threat.  That’s what I hope.  Unfortunately, I don’t think that’s what’s going to happen.  I think because this lack of sharing, the threat actors will continue to grow because again, if you think about this, think of a neighborhood.  Usually, we live in a neighborhood together, Steve.  And we’re very insular.  I talked to you a little bit, you talked to me once in a while, but we’re definitely not going to share when bad things happen.  And so if someone breaks into my home, I’m embarrassed, I don’t want to share anything  with you, so I’m not.  So then you don’t know, I don’t share the Jones, I don’t share with the Sanctiuses,  I don’t share with anyone else in the neighborhood.  So no one knows it.  The threat actor steals something from me and he gets away with it.  No one call law enforcement.  That’s what they’re going to do.  They’re going to continue their activity, unabated.  They had another house, no one wants to share.  Another house, another house, another house, another house.  That’s a cyber landscape.  That’s unfortunate, but that’s the reality today.  There’s so many reasons why organizations don’t share.  But if you look at this example, this is going to create a catapult problem for all of us  in this neighborhood.  But that threat actor, they’re enriched and they’re emboldened and they get better and  more advanced and they’ll continue to grow because they’ll get richer and richer and  more people.  That’s what the threat landscape looks like today and it’s growing.  That’s the problem.

Another way to counter this is if we develop a sharing mechanism.  So when I get broken into, I don’t have to be ashamed, but I tell you, Steve, I got broken  into, like, oh my gosh, Michael, what happened?  And I share information with you.  And you’re like, oh, did you call 911?  Yes.  So now law enforcement is aware so they can look out for the threat actor.  So it’s been a good year, Steve, you’re prepared.  So there’s someone out here suspicious that matches the description of the bad actor that broke into Michael’s house.  Can you send somebody?  They send someone, they apprehend the person, they question, turns out it was that person  and now the person’s taken off the street.  That’s what needs to happen in the cyber landscape.  And unfortunately, it’s not happening.

 

STEVE RIVERA

You touched on something that I want to kind of unpack a little bit because, like, I’ve  always, I thought exactly like what you just explained, these safe zones where security  professionals in similar industries can share what’s happening.  Unfortunately, we still live kind of in this era where the victim gets kind of blamed for  the crime.  CISOs, when there’s a big data breach, the CISOs usually the first one to be walked out  the door for some kind of gross negligence or something like that.  It’s almost like to your analogy, if someone broke into my home, police aren’t going to come to my house and go, all right, here are the handcuffs, we’re taking you in.  Or you deserved it because you left the side window open.  And yet that’s what we do in the cybersecurity space.  I think that’s changing some, but that seems to be one of the reasons why I think people are reticent to share information because there’s too much shame involved, there’s too much  blame involved.  So do you have an idea?  I’ve always created these kind of safe zones of CISOs and try to create a safe space where  they can share information with one another, whether it’s healthcare or manufacturing.  Finance does a really good job of that, but in some of these other smaller industries,  like mental hospitality, it’s that blame and shame game.  How do you propose or do you have an idea of how to remove that kind of stigma that’s associated with being blamed for a crime that’s committed against you?

 

MICHAEL F.D. ANAYA

I think there’s a lot there.  So hopefully I can cover all of it, except so many thoughts on this.  So one thought of what you described, it deals with the cultural organization.  And if the organization is structured as such that they decide we’re going to hold some  responsible and that person is going to be our scapegoat, that is something that’s difficult  to mend, but that is a cultural component within that organization.  So that’s one element in play.  To counter that, I have a proposal, not necessarily just for that reason, but for other more beneficial reasons when it comes to security.  My proposal there is the CISO or Chief Information Security Officer should holistically and always report to the CEO.  That actually doesn’t normally happen.  It’s typically report into a CIO, crazy it may sound legal or CFO, or they own have a CISO, they have another title.  But regardless, the person who runs cybersecurity should report directly to the CEO.  The main benefit that affords you is the CEO now is dialed into the threat.  They are given direct information when that CISO says, look, here’s what’s happening.

We need to make these measures to ensure we’re protected.  There’s no ambiguity.  There’s no filtering.  Because think about it, if you report into your CISO reports into anyone else, there’s a filter.  If your CISO reports into a CIO, that CIO is going to listen, filter the information, and you have no idea what the CEO is going to hear.  Back to your, that to me is when the critical failings of organizational structure, any organization that’s structured this way is going to continually deal with data breaches.  If you remove that and you change that organizational structure, you’re going to reduce threats, period, because now the CEO is going to have informed factual information, metrically driven  that can say, oh, you know what, this is a critical threat, and they can take action.  But if you think about that filter, and you think about from a logical perspective, just  a human point of view, it’s easier for me to blame.  So I don’t know you, Steve.  I just know you through my relationship with, we’ll say Tatianna.  And Tatianna is my point of contact.  And so then I’m talking to Tatianna.  I know Tatianna.  I know her family and her friends.  I have a connection with her.  I hired her, et cetera.  It’s harder for me to hold her accountable, but it’s easier to hold you accountable.  Because I don’t know you.  Right.  See you a little bit once in a while.  But while I’m on a scapegoat, I’m not going to look at Tatianna.  Instead, he’s going to say, let’s get rid of Steve.  So that is one component.  So there’s multiple things if you were to actually change the structure.

Again, in terms of the accountability aspect, I think there’s a cultural component in play.  My proposal to reorganize the workforce in terms of hierarchy when it comes to cybersecurity  is really to benefit the organization when it comes to security.  That’s the one massive benefit it’ll do.  And it’ll allow that to support direct information as CEO in terms of sharing to come to the  center.  And then we create a safe environment for sharing.  That’s another topic.

What we strive for is a situation whereby there’s a certain amount of decorum that’s established between people who are sharing.  Here are the basics of sharing.  Here’s what we can share.  You’re not going to share anything sensitive that deals with your own internal secrets, anything proprietary that’s going to damage your reputation.  No one wants that.  No one cares about it.  All they care about is indicators of compromise.  They just want to know what did you see in terms of threat activity of that data?  What can you share with me so I can then determine if I see that threat activity?  That’s something a lot of organizations do well.  There’s a lot of organizations that facilitate this so that we should continue to build those  type of networks.  One of the hurdles many times is legal.  The go gets in the way.  The go gets in the way principally because they don’t fully understand what the government, who the government is, what they’re there for, and there’s different so many facets  of the government.

I’ll just break down two components.  You have law enforcement and you have regulators.  Now again, there’s a multitude of layers of the government.  I’m oversimplifying it.  Before our conversation when it comes to corporate infrastructure, we’re talking about sharing.  Those are the two big thoughts enter a corporate attorney’s mind.  But hold on.  Who are you sharing it with?  Are we going to be liable civilly for sharing information that we could get sued for?  Or are we going to give something over that may turn us into law enforcement here about  it?  We’ll get arrested and blamed for it.  That’s our two focuses.

The way around that is you rebuild your internal legal unit.  The way you do that is you hire former federal prosecutors who have charged and dealt with  cyber related crimes.  The reason by just like you hire former law enforcement is those individuals have dealt  with the government, worked for the government know exactly what is needed to help ensure  the threat actor is identified, but they also know what is needed.  So if you have those individuals in a legal unit, they can then with eyes wide open being  able to articulate, oh, this information you can share.  Nothing’s wrong with this.  There’s going to be no problems and that will just help law enforcement, your partners,  the other industry at large understand what the threat adversary is going to do.  You don’t need a whole legal unit full of these individuals, but you need one or two  that they can then have a conversation with others in that unit to talk about what is  reasonable to share.  What is it without those individuals many times are left for people who are focused  focus on civil disputes and that’s all they care about.  And in those world, they don’t want to share without sharing.  When I when I chatted with a lot of these CISOs, they say, I wish I could share legal says I can’t.  So enough force that I can’t share in this community.  That needs to change.

 

STEVE RIVERA

That’s a really good point.  I mean, it’s it is a growing need and it is something that I see that, you know, removes  some of that the barriers of information sharing is that’s a really good point.  What a shift just a little bit and talk a little bit about AI, right?  It’s all in the news.  Everybody talks about artificial intelligence.  They’re talking about utilizing it to enhance cybersecurity speed.  And then on the on the flip side on the threat actor side, it’s being used to write better  phishing emails targeted, you know, phishing emails, spoofing things.  How do you see AI working?  And feel free to share anything that you can think of.  Like, do you see it being more good in terms of preventative and faster response or for evil and faster, you know, exploitation of vulnerabilities?

 

MICHAEL F.D. ANAYA

It’s a great question.  I think it depends.  Right.  And it’s going to depend on how it’s implemented and utilized.  If you look at it from a logical perspective, from my vantage point is where’s the money  being spent?  At present, most money is being spent by organizations.  And so they have the largest per strings, which makes sense.  And they’re spending it on what will classify as good or protective measures.  So as long as their constant keeps spending on AI and the focus is on trying to augment  people in a way that helps empower them, take some of the more rope processing away and  allow it be automated so things go faster, quicker, all focused on defense.  That’s smart.  And as long as that’s in play, we’ll be safer.  If that spending drops, then the threat actors continue to operate, but they’re operating  at then in my shift.  I don’t see that happening in the short term, long term uncertain.  But that’s where AI is quite powerful when it comes to cybersecurity.

There’s a phrase and or sentiment that’s being spoken about co-pilot organizations, sometimes  coin co-pilot as a development term, as a product, et cetera.  All that means is you think about if you’re a security professional and you’re need some  assistance and you’re like, well, hold on, is this threat something should worry about?  Hey, co-pilot, here’s what I’m seeing.  Help me surface if this is something that’s a concern to me.  That’s smart and that’s useful.  Products are being infused with this.  I would, if I were a company, ask individuals that are offering you opportunities to buy  their software, vendors, et cetera.  The type of augmentation of AI are you giving me?  I think critically evaluated, but what is it?  Is it simply just a large language model or is it something more than that?  Is it integration with other parts of the system, talking about those integrations?  How can it empower my SOC or security operations center to operate at speeds that maybe need  to happen when a threat actor is actively engaging you in a possible data breach or  already breached you?  Those are things you want to ask.  It’s really how, and it’s just being developed right now.  We’re at the very nation state of it, but as long as money is being pumped into AI when  it comes to protection, I think we’re in a good spot in the future.  I’m excited to see where it can take us, how it can be augmented, how we’ll become more  secure and our security will get better and more insightful as we start learning and growing  and going back to sharing.  As long as the underpinning models, information is being shared and data source is serving  updated with new, latest and greatest attack vectors, et cetera, it’ll stay really relevant  and quite powerful.

STEVE RIVERA

Yeah.  No, that’s really good.  Thank you for sharing that.

Want to shift topics a little bit and talk about recovery from an incident.  I’m sure you’ve read about the city of Dallas, right?  They’re still kind of limping along.  Finally, two months later, after this ransomware attack, this cyber incident from May 3rd are  beginning to get back into operations.  What would you recommend organizations, municipalities, what have you, companies to ensure that they  can recover faster than 60 days, right?  60 days seems to be a long time to recover from something like that.  What would you recommend or how would you help our listeners understand how to recover  from something like that?

 

MICHAEL F.D. ANAYA

It’s a tough one for a few reasons.  One answer from Pre-Breach.  Pre-Breach, easy or said and done, take precautions now.  Spend the money now to ensure you have adequate security.  One of the critical components I always see is start with the leader.  Whoever runs your cybersecurity program, make sure they know how to lead.  This is critical because many times people hire people who are very technical.  They go through, let’s hire a technical person.  That’s fine to a degree.  If you’re looking to me, it’s Michael, who should we hire?  I don’t want a technical person.  I want a leader.  I want someone who can inspire, who can empower.  I want someone who knows how to communicate and help motivate people.  I don’t want a technical person because the technical people will be employed and empowered  by that leader.  I think it starts with the leader.  Pre-Breach, you need a strong leader.  You need someone who can lead.  You need someone who’s got experience dealing with the issue at hand.  You want someone who can motivate people.  You really want a leader.  Unfortunately, and don’t get offended, these are friends.  A lot of them aren’t leaders.  Some are.  The leaders I’m very impressed by.  Generally speaking, they’re not leaders.  They’re technical people.  We can talk to you about configurations, protocols, scripting, and all that, which is  fine, but I really have a leader who knows those are important and hires the right people  in the right positions and then empowers them to make good decisions.  That’s a strong organization.

Another pre-Breach thing you could do is ensure your board of directors has a cybersecurity  expert.  Many organizations, that’s not a factor.  It’s not something to consider.  When I briefed the board in the past, many times the things I’m sharing with them, they’re  hearing for the first time and I’m not sharing anything that’s groundbreaking.  I’m just sharing information that in the cybersecurity community is quite common, but they’re not  hearing.  If you look at the board, generally speaking, they’re focused on the industry at hand.  There are people who can help them, which makes sense.  They’re former executives, they’re current executives, et cetera.  Those are all good reasons why you should be on a board, but you need an expert.  That expert can be there to help talk to the others and say, look, here’s why we need to  do this before the data breach.  Again, before data breach, build a relationship of law enforcement.  Have your organization reach out to your local federal law enforcement agency that deals  with cyber crime, principally the FBI, another one, secret service.  Build those relationships.  Develop meaningful relationships.  They’ll just meet them once and get their business card, but actually cultivate a conversation.  Let them come talk to your employees.  Work with them.  Do joint sharing operations, et cetera.  Build that relationship because you build that relationship, they can share intelligence  with you.  Unclassified intelligence, they can then share with you.

That’s all going to help you.  It’s going to help you understand the threat actor.  It’s going to help you prepare.  So those are all pre-breach activities you can do.  Post-breach, how do you recover faster?

It’s going to come down to your redundancy.  How much data protection you had in play.  Hiring the right professional.  That right professional is quite critical because a lot of time is spent in trying to  bring in people who may not know best how to solve the problem.  So that will elongate the solution.  But maybe when the breach happens, depending on what situation, whether you have cyber  insurance or what situation is, but hire an expert who’s dealt with it before.  I cannot state how important it is.  If you’ve hired someone who’s dealt with 20, 30 data breaches, that’s good.  But dealt with someone who had 100 data breaches, it’s even better.  The person who has 100 data breaches, they know explicitly what needs to happen.  They know who to talk to.  They know all the machinations they need to take place.  That’s really what you want.  You want to get up and run as fast as you can.  You want to ensure, well, first, you want to ensure that there is no longer a threat  in play.  And that individual, that depth of experience, will be able to help discern that and help  guide you, help you tell you, hey, you need to bring this type of team, this type of team,  et cetera.  They’ll be able to have factful conversations.  Many times some of these ins and response organizations will provide you with people  with lack of depth of experience.  So they don’t actually know.  So they’re learning on a job.  And again, if you’re a city of Dallas or an organization, you probably don’t want the  trainee there.  But having that person who’s an expert, they can spot that and say, no, no, no.  We don’t want these individuals.  We need these individuals.  What are you doing?  How are you doing this?  Okay, this sounds good.  And they can help sort of quarterback this data breach response.  So having that expert is something you can do to help get up pretty quick.

 

STEVE RIVERA

Yeah, that’s really great points.  A couple of things that you mentioned, relationship with law enforcement, I think that there’s  always really key to form those relationships, not like you said, not just have a card, but  be in contact with your local law enforcement, federal law enforcement, and then also have  those relationships with an investigator, a forensic investigator, the third party that  can come in and contain and do some of that work, but then also outside counsel.  So I always look at it as a triad to have all three of those in place and like you said,  not just a business card, but have a relationship.  One of the things that I found and I was meeting with a CISO recently and we were talking about their business continuity, disaster recovery, and I was asking about scenario based tabletop  exercises.  And he was able to answer like the second or third question, but then the fourth meaning  is legal know when they’re involved as HR know when they’re involved as you know, when  do you pull in your executives when you pull in public relations and his response was,  hey, I’m just responsible for it and for security and those people.  And I’m like, no, this is a when you have a massive breach, it’s in all hands on deck  and you need to have everyone needs to know their role.  Everyone needs to know what their response is going to be, and you can’t wait till you  have a breach to do that you need to test it so we walk through several scenarios to  which he was going to go back to his counterparts and say, we need to do a tabletop session  we need to walk through this so we have the muscle memory.  So we have the knowledge of, and it’s documented, and it’s not on someone’s hard drive that  could be encrypted by ransomware, it’s printed out, it’s in our desk, we know that we can  open to it and say this is the scenario.  This is what we have to do.  These who we have to call.  And I find that that also is a real key component.  Free breach post breach that keep that contains that timeframe of that incident, running into the 60 day 70 day kind of scenarios but really great stuff there.  I didn’t have one other thing I wanted to chat with you about and I was reading about  this this morning about the the case between the Iran linked APT 35 targeting Israeli media.  And I was reading this and I was thinking, you know, warfare as we know it from a nation  state is changing and cyber becomes a component of that warfare we saw it in different, you  know, different geopolitical situations over the past few years.  How do you see that changing do you see that becoming more like, you know, I know our listeners  sometimes watch movies and they think, oh, you know, that’s just Hollywood.  And yet my experience and I’m sure your experiences are the same.  You know, truth is stranger than fiction sometimes.  So how do you see cyber warfare changing the game.  And how does the private sector play a role in that I guess I’d like to get your opinion  on that how do you see cyber warfare kind of changing the game and then how does private  sector play into that.

 

MICHAEL F.D. ANAYA

That’s a great question.  I think one thing to look at and think about warfare look at kinetic warfare.  And let’s assume a threat adversary to the US were to fire a missile and they were to  hit a building in downtown Los Angeles.  We would all know it.  You’d see it there be coverage.  It’d be all over the news because it’s very visible.  It’s kinetic.  And it does we’ll say, you know, $200 million of damage.  We’ll say that same threat actor launch cyber attack.  No one knows it.  I don’t know it.  Everyone in Los Angeles drive in the streets like nothing happened.  But you know who does know it?  The company.  The red actor.  They all know what’s happening.  It goes back to my sentiment sharing.

One of the critical components in cyber warfare is those organizations need to share.  It is so critical.  But again, I don’t want to keep going back to the same point, but you really cultivate  that relationship with law enforcement, the prosecutors, if you have federal prosecutors  in your company, when that breach happens, they know exactly what they can share and  what they can’t to stop and or get law enforcement and intelligence agencies.  If this is a nation state actor engaged so they can do something.  If you don’t share it, they’re not going to know.  There’s this go back to Hollywood.  I think many times organizations wrongly think, oh, I’m sure someone in the government knows.  Not necessarily.

Because again, it’s not kinetic.  It’s not something quite visible like a missile that hits a building and the building explodes.  It’s quiet.  It’s under the radar.  No knows it except if you’re involved.  And that’s really where the landscape is going to change.  And again, unless we have cooperation amongst all parties, then the threat actor, the nation  state actors are continued to operate with impunity.

One more complication of all this is many times now with modern coverage of the media  and how ubiquitous information is online.  We want things fast, right?  One data like tomorrow, we want data that happens today at seven on our phones at seven  to one.  And we become very focused on this.  When he deals with the government, I touched on this a little bit before, at least I mentioned  a nomenclature here, but I talked about unclassified.  When things deal with the government, information is classified.  What that means is there’s an air of secrecy of obfuscation that we governments can’t  share because it’s classified.  And they keep it classified because they’re protecting a number of different things, such  as people, such as information, such as information, if we’re to leak.  And that media cycle I mentioned to you a while ago, we’re to catch it.  The bad actor, the nation actor would then know and they could then start obfuscating their actions even further.  But that secrecy associated with information, that sometimes prevents federal officials from sharing it.  So we’ll say data breach happens and it hits that company.  And that company were to share law enforcement or federal agencies.  They may not share right away because they’re conducting an investigation.  There may be a delay.  So we hear a lot of news stories and it touches the government’s involved.  And the news story can tell they’re like, well, what else is happening?  Many times you’re not going to know because information is sensitive.  It’s classified.  It has to be declassified.  Once it’s declassified, then it can be shared.  So a lot of these agencies will then look at this information to pull out the sensitive topics and then they’ll share it with the public and say, here’s what we learned.  And so that’s just one thing to factor in just as more of an FYI.  But to answer your question, organizations need to really cultivate this landscape of sharing.

 

STEVE RIVERA

I appreciate it.  Thank you so much, Michael.  Thank you so much for your time. That’s all for this episode. Make sure you take time to listen to our next episode of Logically Speaking and stay cyber-first and future-ready.

Back to Top