Patch Tuesday Rapid Response Center: Your Action Plan
View our easily digestible insights from each month's Patch Tuesday releases.
Reducing Cyber Risk: Back to Basics
Keeping up with the rapidly changing cyber threat landscape is no small feat. Given the mounting number and increasing sophistication of attacks and breaches, poor device health at many organizations, systems drift, overworked admins, and other challenges, we have to keep our eyes focused on cyber resilience.
In this Fireside Chat, Automox’s Director of Information Security, Chris Hass, and Technical Product Marketing Manager, Peter Pflaster, go back to the basics when it comes to reducing cyber risk best practices. Watch here to join the conversation.
Video Transcript:
Hello and welcome to our next session on reducing cyber risk by going back to the basics. My name is Peter Pflaster and I'm a Technical Marketing Manager at Automox. Before we dive into our fireside chat, please let me set the stage quickly.
Today's tech landscape has a myriad of potential pitfalls and issues that you're likely painfully aware of already. Most of these have existed for a long time and will only continue to grow as the way that we work fundamentally shifts and connectivity grows.
There's a laundry list of problems that you're already trying to minimize every day, such as attacks, ransomware and data breaches that are occurring from old vulnerabilities, and patches that have known solutions, misconfigurations, fishing, and more.
Organizations today are struggling to support the remote workforce and that's likely to continue. Failed audits and unmet remediation SLAs as well as the pressure to get faster, more accurate and do more with less continues to grow as well. Yet devices are still in bad states of health and users are too often left frustrated and unproductive.
IT and security operators are still miserable with their existing tooling and are usually spending too much time on repetitive tasks. Yet systems are still drifting away from desired configuration states which often requires needless manual investigation or remediation.
Ultimately this laundry list is equating to risk. Whether that risk represents the true cyber risk, risk of employee turnover, or reputational risk to the business. Today's teams and tools are still too siloed. The complexity of multiple on-trend tools continues to cripple teams' efficiencies.
We surveyed 500 administrators, managers and directors of IT and security and found that most organizations are using 10 or more tools today to effectively manage their endpoints. What's now been coined as the cybersecurity mesh or the shift from assets and end users to being outside of traditional infrastructure and networks has exposed VPN dependent solutions and is preventing teams from managing or supporting modern workforces adequately.
In the same survey we discovered that organizations with more than 40% remote workers are more likely to struggle with their team staffing, visibility of endpoints, and lack of automation for IT and security processes. Shifting this existing on-prem stack to the cloud often requires too many tools to support cloud workflows and time that IT and security teams usually just don't have.
We've seen a dramatic shift to cloud native software and just about every industry with companies like Crowdstrike completely transforming SecOps but ITOps is still largely dependent on the same on-premise tools that are confusing and expensive to administer that are still contributing to the laundry list of problems we just discussed. The work of IT and security teams is naturally intertwined and it's important that both the teams are working as one to reduce risk and increase efficiency.
So what is reducing cyber risk really look like and what role do IT and security operations have to play?
Well, today we're going to discuss that with Chris Hass, Automox's Director of Information Security and Research and we'll be going over some steps and what you can and should be doing to execute the basics well to ensure that both your IT and security teams are pulling in the same direction to reduce risk in your organization and deliver a flawless experience to your end users.
We've got Chris Hass here, Director of Information Security and Research at Automox. So before we jump into the media discussion of the chat, Chris, why don't you tell us a little bit about your background and how you ended up at Automox.
Hey Peter, yeah happy to be here. Yeah Chris Hass, Director of Information Security and Research here at Automox. And I spent a lot of different had a lot of different positions in my past but I've been from I really focused on the threat intel and the threat research space. I was a principal threat research engineer at Logarithm for a bit of time. I also ran a threat research team and and various other roles at Cylance in the past for a few years and I spent some time on the offensive side of things at NSA. So I spent a lot of different a lot of different time and roles with insecurity primarily focused on the research and intel and reverse engineering, um, space. and Logarithm was really was kind of my first foray into security operations at an organization and running all the day to day security operations for company
Awesome. Thanks Chris for that background. So let's let's jump right into the discussion here. How would you define cyber risk?
Yeah, traditionally the simplest definition is really just you know, risk of financial loss or business disruption or reputational damage based on the impact or probability of a cyber threat or event occurring. Right? There's really just five main types of threats or main types of cyber threats. And that's typically: ransomware, fishing, data leakage, typical adversarial hacking, insider threat, things like that are are all kind of examples of, of major cyber risk.
Great. So if somebody's coming in let's say as a new director of security or new CISO and let's say they're essentially starting from nothing, there is no program before what we're, what are the immediate steps you would recommend a new security program taking that kind of offer the biggest payoff in in reducing cyber risk immediately?
Yeah, absolutely. So this is a very interesting kind of topic because it's essentially what I was tasked with doing when I first started here, Automox, I've been at Automox about three years now at this point and I was the first security hire. and really the first thing that I did in order to try to make sure that I was being as effective as possible as just listen, listen to the rest of the business. listen to the business owners, understanding what our risk appetite is to the company, how much risk we're willing to accept things that actually would would or would not happen, things we could implement or things we could not implement.
just some some just general reconnaissance of our lay of the land of, of what the security you know, landscape looked like before I got in. so then you kind of take a, you take a snapshot of what what has been done in the, in the past and you pretty much want to make sure that you do a threat model of of what kind of damage or what's the most important threat that you're trying to stop from happening to your company. Right? And then you perform some type of threat modeling, you can use a lot of different ways to assess certain threats by using threat modeling. You can use PASTA as a, as a way to do threat modeling, you can use STRIVE, there's other methodologies in order to qualify threats to your business. and then once you've done those practices and you've kind of model those threats and and things that are most important to protect your company from, of the things that keep you up at night, that's kind of how you typically will pick a lot of the solutions you want to put in place.
So a lot of my background is in endpoint management and endpoint protection space when I was at Cylance and and some from the network side when I was at Logarithm but really really was focused on making sure that every machine either whether or not it's search if it's virtual or if it's a you know a laptop or or you know a real physical machine that has some type of you know physical sometimes the employee protection software on its right.
So the first thing was you want to get an EDR tool. So the first time we went with was I was with Crowdstrike. The other thing that we went towards was making sure that we used our product everywhere within our organization right? Patching is one of the most important basic things that you do.
So the first thing we're task was was identifying whether or not we're using our own product internally. Right thankfully we were using it pretty much everywhere we could but you know having that visibility, having that coverage to be able to be able to configure things as a startup quickly and as the only security IT person it was really really helpful for us to be able to have that visibility, be able to patch our machines, making sure there were kicking out secure configurations and and not having to engage every single arm of the business individually so that was really helpful for us.
Awesome. Thanks for that insight Chris. So obviously the Automox is a company that's in kind of a more security probably has more security focused approach, perhaps even more aligned to an even larger business. Are these all these steps that you just discussed are these things that would really matter to a small and medisized business or can they kind of just, you know, put a firewall and and call it a day?
No, absolutely. I think it's applicable to all parts of any any size business. Right. you know, at the time that I joined joined Automox and we were a small company. We we weren't even 50 people yet. Right, so pretty small, small budget. and when you're when you're coming into an organization like that or any S&B you know, every dollar counts. So you want to make sure that if you are spending from a security perspective you're getting as much bang for your buck.
Right? So really being able to identify tools that are versatile that can give you the best ROI making sure that they're available for if anything happens thankfully, a lot of our tech stack that we implemented that I implemented, and the folks here, Automox, a lot of it was very much cloud-native cloud-focused. We had a lot of people working remote even before the pandemic. So once that kind of hit that helped us be didn't really didn't the pandemic shifting to remote-first culture was not that difficult for us because we were already kind of doing that internally based on the decisions that we made right. And having that flexibility of being able to perform work anywhere and everywhere was one of the biggest things we wanted to even wanted to enable for our workforce.
Yeah, that's great. So it sounds like we, you know, Automox perhaps had kind of a unique advantage going into the remote work shift with the amount of of cloud based tools that had adopted.
you know, as we've seen kind of this monumental shift in how work is done and where it's done over the past few years. Has that shifted kind of the definition of risk or the approach to cybersecurity here or I guess for for any potential security leader?
Yeah, I mean in terms of value evaluation. Absolutely. I think in consideration like like I mentioned, we really always have been kind of focused on, on cloud-native products to keep us our business agile to be able to move as fast as possible. It's really critical for a startup to be able to be, you know, fairly agile. Right? So that's one of the reasons why we picked cloud native products kind of from the get go, but there's a lot of other reasons why you would want to do that right? There's um, you know, being able to scale tools easily being able to identify um, you know, possible costs and things like that associated with it having predictable costs, not things based on usage but based on user seat, it's kind of helpful for you. also there's just a lot of um, there's a lot more focused. You have to put on your third-party risk management, right? Because you give a lot of some of that risk to that vendor that you're purchasing. Um, it's not you're not as as typically on-prem solutions are a little bit more configurable because they're within your environment, they have to be.
Um, so there's you are kind of having some type of risk transference to that vendor. Um, and because of that, you have to make sure that, you know, that vendor, not only, you know, value security at the same level, but even even a higher level than what you're currently having internally right. You want to make sure they're not bringing in any type of solution that hurts your security posture. All right. You want to bring in a solution that will help your security posture that you know, that they're doing the right thing. So that's kind of, we really spent a lot of time and focus on on third-party risk assessments on questionnaires, you know, checking to see if they have compliance standards are and then going even the extra mile where it's not just checking for credentials but getting on the phone and talking to their security teams having well thought out questions asking them how how are you gonna let me know if there's a breach... How are you gonna do you know what's the timeline, which breach? No vacation is going to come. Are you going to ask for a third party to come and do instant response? Do you do tabletop exercise with your executive leadership? you know just how am I going to track these things? Those are all questions you want to make sure that you're asking. you know those vendors that you're transferring some of that risk to them.
So it sounds like the the fundamental way that you're evaluating new products and and if you're considering bringing a new product into your security or IT stack it kind of starts with scalability and flexibility but it seems like there's a lot more emphasis on the actual security measures that that vendor is taking and spending time not just taking them at their word but having like evaluation calls and and forms related to that to ensure that you're both on the same page there. Absolutely. Yeah. I think as a as a security owner at an organization you know like security is one of your biggest focuses but you cannot be a blocker. You cannot be the department of 'no' within an organization. So making sure that you're making you know you're making informed decisions on controls that you're putting in place. that won't hinder the businesses profit but it helps you reduce the chance of or the chance of some type of cyber attack is really what's most important.
So I always look for tools that enable the business first and then I really once I've identified a couple of you know controls a couple of tools that I want to implement. I really do a good job of or really try to do a good job of investigating their security practices. So that way it's up to the same standard that I would expect internally.
Mhm. Great awesome that's very helpful tip. So I think we've talked we've covered the security side of the house pretty well but I think something that that may kind of fall at the wayside at times is the role that IT might play in, you know, delivering technology to the whole organization obviously but also working with security too. Kind of pull in the same direction towards a more secure and efficient organization. So are there any tips that you have for better integrating IT and security teams?
I think first it starts with the culture you have to build that culture within your security and IT team to work to work well together. I think just having open conversations often with both teams if there if they're separate teams to make sure that they're on the same page make sure that they have visibility and things that are coming down the pipeline. Maybe some tools that IT is evaluating maybe some tools that security evaluated because a lot of times you know if you're bringing in a tool in tooling from IT standpoint security is going to have to do some type of evaluation of which if they meet some type of security standard if you're bringing in a security tool it's often that it's the IT team that's doing the implementation right?
So there has to be a strong partnership there between the two teams. So that way you have the visibility you're not blocking in your in your processes to get those things implemented that you have a good plan in place. And really I see a lot of of blending of the two teams now out in the in the ecosystems where I see there's just a lot of blending of talent between IT and security. and a lot of IT professionals now are kind of focused or not necessarily focused but interested in moving into the security space. Almost everybody in the security space in their past has been an IT admin. So it's kind of just a natural kind of progression there. and everybody that like I said pretty much everybody that's worked in security has had started in a help desk role or or had some some time spent into the IT teams so ensuring that they're both both on the same page, making sure that they're you know communicating together and working together really really helps your organization will kind of reduce friction for the rest of the company.
Awesome. I think you know as as things have been increasingly digitized, almost almost every company is getting more and more of their stack exposed to the internet. Speed is of the utmost importance.
Now I think we've seen an increasing amount of zero days and exploits happening. the scanning happens faster than ever now from threat actors. So what do you see today as kind of the biggest roadblock for preventing, you know IT and security teams from acting more quickly too remediate a vulnerability, whether that be a patch or a configuration change? I think that that's the general environment has just gotten so complex over the last few years. Right?
So we have a lot of different environments now where you're maybe a vast majority of your tech stack is cloud maybe. you know you're you're running in a hybrid environment may be most everything you handle yourself in your own colo or something like that, right? you're often using multiple different OSes. in the past we always have had that but you're seeing more adoption of macOS in the enterprise space than you've seen in the past. I think there's just a lot of different tools that don't necessarily talk to each other. that because of that they may not be a API driven so you might not be able to kind of you know integrate those things together, achieve the automation that you're looking for. So I think that that's really what the biggest you know the biggest hurdle that I that I've dealt with or that we've dealt with here Automox was that it's just trying to make sure that you're picking the right tooling that can integrate with each other.
and then also being able to accomplish as many tasks as possible and automate those things as much as possible. Right? So like one of the biggest core fundamentals of our IT team here is if you do it more than once, you automate it right? So pretty much everything we try to do for or spending more than an hour on or we're seeing this ticket come in, you know more than once, we're always brainstorming some type of idea of how we can automate those things. And one of the one of the hardest things to do is trying to get tools talking together that have that just don't don't talk together very well. So really being able to find API driven tooling, making sure that you have you know the correct visibility and being able the the ability to create automation across your organization is incredibly important and and finding tools that our API driven are difficult nowadays.
Awesome. That's great advice. So kind of the approach of if you're doing repetitive tasks even even if it's more than once trying to focus on you know automation there is important.
Absolutely. I mean that's that's one of the biggest points to keeping your your IT team happy right is automating those those mundane manual tasks. I know that like in the past there's been a lot of talk about well what if I automate myself out of a job or you'll never do that in IT. There's so much thing there's so many things in the organization that you have to automate as much as possible but nobody wants to do the exact same task over and over and over again.
Right. So I'm just trying to make sure that you're pushing automation either if it's built in your in your tooling or you know having exposed API that you can write some type of you know something in python or some type of integration to get the things done that you need to is incredibly helpful and presents a lot of ROI on whatever whatever tool you're using.
Great and then the last question that I have for you today is is perhaps a bit more abstract but I'm curious about how the security and IT team at Automox is structured kind of and the rationale behind that approach really. You know what what works well?
Yeah absolutely. I mean we have kind of an unorthodox way of conducting our IT and security on the way our our our teams are structured here on on both sides. Its actually that me as the head of security I actually run the IT operations team or the IT team here internally to Automox which is it's not necessarily the right in the middle kind of architecture or org structure, right?
A lot of times your your security team either reports to a CIO or sometimes directly to the CEO. But it's not very often that your IT team reports to your actually the head of security, right? And I think that that's kind of indicative of of the ethos that we have at Automox. We we've seen a lot of attacks out there of similar platforms, squires like Solarwinds and Cassia. And we think we think of security as one of the utmost highest priorities at Automox and that really starts with implementing things securely in the beginning so pretty much anything and everything that security is is tasked with, they have some type of counterpart - IT counterpart - that's making sure that not only were responding to responding to attacks or responding to alerts that were also engaging with IT. to remediate as much as possible.
Making sure that we're doing all that we possibly can to not only bring in technologies from the IT standpoint to enable the business and unlock you know that will unlock the efficiency of the business that it's done correctly and it's done securely right because we can't we can't afford a major attack like that. So it's an interesting kind of structure. But I I enjoy it I think it works out really well. Like I said in the earlier it was you know we have a lot of blending of IT and security teams and having them kind of in the same room talking constantly back and forth. It makes us move our security move in security controls much faster than I've seen previous places.
Gotcha. So it seems like the takeaway here you know regardless of the hierarchy of the team is is just a culture of of constant communication between the two no matter how it's structured.
Yeah absolutely a constant communication not just with the IT team but the rest of the organi- with the rest of the company, right? And then really trying to build that security culture that you know maybe I should just verify with security before I implement something. Maybe I should just check before I implement something. and really trying to make sure that you build things securely from the beginning, kind of having that that shift-left mindset where you know, you're you're implementing security trolls for our security controls from the beginning so we don't have to bake them in at the end, and that really does unlock the businesses kind of efficiency and speed so so yeah, it's a constant communication and making sure that everybody understands that it's everyone's responsibility to be secure.
Yeah. And I think that goes a long way to creating the kind of narrative that you talked about earlier where security and IT are are enablers rather rather than blockers with within the organization. Kind of changing how how it's viewed. regardless of of you know, what what folks may may or may not think.
Yeah. Absolutely. 100% agree.
Great. Well that's all the time that we have today for our fireside chat.
So thank you Chris for your time and insight today. I really appreciate the opportunity to talk to you.
Absolutely. Thanks Peter. Thanks everybody.
