Welcome to the inaugural edition of the State of Enterprise IT Security podcast, hosted by e360 CISO Brad Bussie.
The State of Enterprise IT Security focuses on delivering approachable and actionable insights for technology leaders.
Brad Bussie, the Chief Information Security Officer at e360, walks through the latest security threats facing the enterprises and share’s his first-hand perspective of these topics based on daily work with CISOs and other enterprise technology leaders.
We're looking forward to delivering valuable information to you in this and future episodes.
Listen to the Show:
Watch the Video:
In this episode, Brad Bussie focuses on the evolving landscape of cybersecurity, particularly the impact of GenAI on Chief Information Security Officers (CISOs), the risks associated with unused identities, and the surge in ransomware attacks.
Brad opens with how GenAI is transforming the cybersecurity sector, altering the roles and strategies of CISOs. He delves into how these AI technologies, including large language models like ChatGPT, can be exploited to craft sophisticated phishing attacks, posing both opportunities and challenges for security professionals.
He then addresses the risks of unused identities within organizational networks. It emphasizes the importance of auditing and managing these identities to prevent security breaches, highlighting the role of lifecycle management in provisioning and de-provisioning user accounts. The concept of “identity as the new perimeter” is explored, underscoring the need for robust identity management and governance in today's digital landscape.
Brad discusses the tactics of ransomware groups, likening their methods to guerrilla warfare. These groups operate in small, efficient cells, striking quickly and dissolving back into anonymity, often reassembling under different names. The ease with which attackers can access tools and funding from the dark web, including AI-driven tools for cyber attacks, is highlighted as a growing concern.
He also touches upon the challenges faced by organizations in managing access rights, the creep of access, and the implications for security. There is a discussion on the importance of adopting a comprehensive, educated, and automated approach to identity and access management.
Finally, Brad concludes the episode by urging the adoption of a true zero trust approach to cybersecurity, moving away from traditional perimeter-based defenses. The importance of protecting devices, users, and data in a more decentralized, internet-like internal network is stressed as vital for future security.
Throughout the episode, Brad provides insights and solutions for technology leaders and security practitioners, encouraging them to stay informed and proactive in the face of rapidly evolving cyber threats and technologies.
Key Topics Covered:
- GenAI and its Impact on CISOs
- The Risks Associated with Unused Identities
- The Increase in Ransomware Attacks in 2023
- Fortune: GenAI is turning the cybersecurity landscape—and the CISO role—on its head
- Bloomberg: Clorox, Boeing, MGM and More: Why Big Hacks Have Surged in 2023
- Spiceworks: The Elephant in the Cloud: The Risks of Unused Identities
Read the Episode Transcription:
[00:00] Introduction to Gen AI and Its Impact on Cybersecurity
Brad Bussie: From the the CISO perspective, the landscape is changing. And it's changing quickly. And what we're faced with now is how do we adopt Gen AI tools? Because it's really not an option. You really have to look at doing it because that's what the attackers are leveraging. And we, as the security community, need to get a little better at collaborating with stakeholders and figuring out how we get to a yes.
Hey everyone, I'm Brad Bussie, Chief Information Security Officer here at e360. Thank you for joining me for the State of Enterprise IT Security Edition. This is the show that makes IT security approachable and actionable for technology leaders.
[00:01:00] I'm excited as this is our very first episode where we discuss three timely topics.
The first one, Gen AI. How it's turning the security landscape on its head. Two, the risk of unused identities. And three, the increase in ransomware attacks in 2023. Now we did record this show at the end of 2023, and I'm sure you're gonna hear me talk a little bit about the holidays, and you're probably looking at your calendar saying, wait a second, it's 2024.
But honestly, everything you're going to hear is still timely. So with that, let's get started.
I wanted to spend some time talking today about three different topics. So I spend a lot of time talking with clients as well as reading clips in the news, and I came across a couple of things that I think you would find interesting and hopefully useful.
[00:02:00] So, Gen AI, I think everyone has heard a little bit about it, or if you're like me, you've heard a lot about it.
So how is this really impacting CISOs? Because I keep hearing this term that it's turning the cybersecurity landscape and the CISO role on its head. So there was an article that I was looking at, and I did a little extra reading because I was interested in where they got some of their facts from. And I figured I would share some of that with you.
So, for those of you that don't know, Gen AI, it's a type of artificial intelligence. And what it's good for is creating new types of content. And that is things like images, text, Audio. But the thing that you need to remember is all of this is based on some kind of existing data. So we're giving it an input.
[00:03:00] And that's why when I read generative AI, I'm not thinking artificial intelligence. I'm thinking, augmented intelligence, so it still needs some form of input, and in order to get what you're looking for, you have to give it more data, and sometimes you have to give it a lot of data, and that poses a cyber security challenge.
So when it comes to the way that I would say some of the attackers are leveraging this type of technology. They're doing things like deep fakes. So they're creating in essence for me, it's, it's my face, it's my voice. And it's very difficult to tell who's real and who isn't. And then there's synthetic identities.
[04:00] The Rise of AI-Driven Phishing Attacks
There are people that exist that aren't actually people. They are AI generated voices and faces. And what I'm constantly faced with as a CISO is things like automated phishing campaigns where there is an AI that is being fed information from someone nefarious, could be someone Uh, overseas, onshore, you, you honestly never know, but maybe English isn't their first or in some cases second language, but they're able to feed these new Gen AIs and large language models.
information and it will craft that phishing email for you. So I'm going to talk a little bit more in the show about a few of the ways that these organizations are leveraging some of the technology out there, like chat GPT, where they're creating their own GPTs. And I'll tell you a little bit about what that means.
So from the CISO perspective, the landscape is changing. And it's changing quickly. And what we're faced with now is how do we adopt Gen AI tools? Because it's really not an option.
[00:05:00] You really have to look at doing it because that's what the attackers are leveraging. And we, as the security community, need to get a little better at collaborating with stakeholders and figuring out how we get to a yes.
And I, I talk with my team and clients about this often where in the CISO or the CISO role, Often, people look at us as the ones that say no. And what I'm trying to get to is a yes. And I talk a lot about the statement, yes, and yes, and we're going to get there. It may not be the way that you are proposing.
However, we can solve that problem. So I think the future of Gen AI is going to continue to evolve. It's going to impact cybersecurity, both positively and negatively.
[00:06:00] And I think it's creating opportunities and risks for security roles in general for organizations. So, things I want you to take away from this are phishing attacks.
They're getting more convincing and they're getting a lot easier for attackers to create. And there's basically exchanges now on the dark and deep web. Where they can go and just get these pre-built GPTs, and they're, they're maybe built only to do phishing emails. And they start off with basic phishing, then they move into spear phishing.
And then it turns into a persistent threat scenario. So these are things that, you know, we need to leverage tooling that's out there. It's not all doom and gloom because a lot of our favorite tools have been leveraging machine learning on the back end. It just isn't as buzzworthy.
[07:00] Governance and Compliance in the Age of Gen AI
So there hasn't been a lot of talk about it, but I think you're going to start seeing more from some of the vendors out there.
Now I always try to keep this show pretty vendor neutral. If you ever hear me talk about specific technologies, it's going to be rare, but I may end up using some of the products as just a talking point. So the things that I want you to take away from this is where, as a security practitioner, should you start?
And if I'm looking at this as I would look at any security program, really it comes down to governance and compliance. And that simply means what is allowed, what's not allowed. So if I'm looking at this from my employees, what is it okay for them to do?
[00:08:00] Should they be able to use ChatGPT? Should they be using Google Bard, now with Gemini as a piece of it?
Should they be using the Microsoft Copilot? And, that whole Bing chat component. That's gonna be up to you to decide. Maybe you want all of them. That is really just the Gen AI side of it. Then it's gonna come into What's allowed from the machine learning or the overarching AI inside of the organization, you know, is Google Vertex going to be, is it going to be copilot and as security practitioners, we have to think about this and we have to realize.
What, what is the overall risk to the organization? So we have to do a little more research and understand what is possible. And I know when it comes to Microsoft co-pilot, there are a lot of individuals that are looking at it and thinking. This is great.
[00:09:00] However, it has access to all of my Microsoft solutions, which means data as well as the identity side of things.
So you can imagine what bad things could happen should an attack be designed specifically to leverage something like Copilot. Because I often say, One of the main things that organizations struggle with is simple things like who has access to what, what should they have access to, where did they get the access, what are they doing with the access, and should they still have it.
[10:00] The Challenge of Managing Access and Identity
So one of the things that I've found Is that when you start peeling back that scenario, and if I'm giving copilot the ability to help me, it could actually end up hurting because maybe my unstructured data isn't very well partitioned, meaning I don't have the right groups and roles in place to start.
And I see this all the time with a lot of my clients where they were just given a role because they were copying somebody else. And that could be something that's been there for 5, 10, 15 years. You never know. And what you get is just this, this creep of access. And the next thing you know. You know, just because you have access to something doesn't mean you necessarily should.
So, there's a lot we could talk about in that particular area. I don't think we'll go into it today.
[00:11:00] The thing that I want you to think about is, how can we innovate quicker and leverage the AI, the machine learning, the, the, really, the, that whole Gen AI wave that's happening right now, and how do we implement and integrate it into our protect surface?
So, those are things that we'll, we'll touch on, I think, in, in some episodes as we go through. But, one thing I want you to look at is, CISOs really need to start thinking more like chief privacy. And risk officers as well. So if your organization doesn't have one, start thinking that way, because really what it comes down to, if I have to feed this Gen AI wave with information for it to do something, I could be leaking company secrets and not knowing it, I could be helping the language model learn more about my organization.
So then someone else could do it. Use that data and design a way better attack against me.
[00:12:00] And it, and it may sound harmless, but it could definitely happen. And there's a good use case here.if you do a little bit of research and look at things like Fraud GPT or Hacker or Hack GPT or Worm GPT, these are hacker level tools that have been designed.
And they're, they're basically using similar, if not the same, large language model as ChatGPT and others. So, just, uh, be cautious, but definitely start with a governance program. And I think that would be a good place really for anybody.
Changing gears, let's, let's look at something else that I was reading the other day.
[13:00] The Risks of Unused Identities in Cybersecurity
And, you know, everybody always talks about the elephant in the room. And this one was, was kind of funny from a title perspective because it said the elephant in the cloud, the risks of unused identities. So I'm sure a lot of you have heard that identity is the new perimeter. And really that that's a true statement.
And I think of many organizations that I talk to… They struggle with things like unused identities or identities that maybe have, uh, have, have fallen off of awareness, ones that are default to a platform or to a specific cloud. And a lot of the times, You know, I feel like there's an inherent fear of changing something that comes with a system.
[00:14:00] Or maybe you're trying to solve a problem with inadequate tooling, because perhaps you can't afford it, or you've been told, Hey, you can manage all of these things with, um, you know, just the native tool set. But what you might be lacking in Gen AI is things like auditing, or automation, custom controls. And I find a lot of people just haven't been trained.
It's assumed that it's easy and that you know what to do, but that's not always the case. So when, when I'm looking at this, I'm thinking of an identity as a couple of different things could be a human user, could be a machine identity. This is something like, maybe a service account...something built directly into an application.
I think the human user is probably the easier one to identify, but not always. And I think when I've talked to clients, you know, inadequate tools focuses on things like, uh, I was, I was saying before I've got an identity platform.
[00:15:00] Maybe it's given to me by Google, maybe Microsoft could be AWS or others and perhaps.
I'm trying to manage that, but it's not as effective as if I were to look elsewhere. Maybe I'm in a multi cloud scenario. I think a lot of us are anymore. And when I start looking at how many of these I'm able to leverage, the list gets longer and longer. Uh, I know for a fact there's a lot of fear in something could, could break.
And there's a lot of inherent identities and roles and permissions and things that are just set up as part of an initial identity and access management implementation. And if you, if you look at how a lot of the big platforms talk about what you should do, many of them say, hey, don't use any of the default stuff.
[00:16:00] And, me having been in a lot of these different environments... I'm like, then why is it there? And should, can I go ahead and disable that stuff? And it's funny, because in some cases that's a yes. In other cases, it's a no, that's going to break, break things. So to me as a security practitioner, I'm a little concerned about that kind of stuff, so just being able to find a way to mitigate it, I think is, is important, but if I'm thinking kind of beyond all of this architecture and technology.
I think auditing becomes very important when we have this risk of unused identities. So, I want to know.
[00:17:00] If something hasn't been used in quite a bit of time and all of a sudden it pops up and I said this before, just because you should be able to access something doesn't mean it's something that that needs to happen or just because you can do it doesn't mean you should do it.
So having auditing, having automation...And I talk a lot about this when it comes to lifecycle management. And that is,...things like provisioning a user account, reprovisioning access. And I think one of the most important is deprovisioning. So when someone leaves an organization. We need to make sure that is all triggered, it's automated, and we can say definitively that that identity has been deprovisioned and all access has been removed.
And I will say, the most challenging thing when it comes to that deprovisioning process are all of the ancillary Applications because not all applications leverage a common identity.
[00:18:00] There are still ones out there that use a username and password. And just because I de-provision the person from my environment, doesn't mean it, it automatically reaches out and takes away their access to Salesforce.
It could be a long list of applications, and I think that's something useful when you're thinking about, you know, how do I stay out of trouble when it comes to identity? And I think really adopting that comprehensive, automated, and educated approach to lifecycle management.
Ransomware Attacks: Trends and Tactics
One of the other things that I was looking at, uh, this week was, I think as we're getting close to the holiday season, there always is kind of a wrap up of the year.
[00:19:00] How did, how did the attacks of the year impact us? And I, found a couple of articles that were Really focused around the big hacks that have, in a lot of cases, surged in 2023. And I'll name just a couple. We've had Clorox recently, we saw some things come out about Boeing, MGM was a little bit earlier than that.
And it's interesting because CrowdStrike is saying that there's been a 51 percent increase in ransomware attacks since 2022, but I think we all have to take a look at, uh, 2022 in general and, and think, well, why, why, why is that?
[00:20:00] Because experts are saying 2022 was actually a lull in the overall attack when it comes to the United States, Canada, the UK, a lot of the industrialized nations.
And. I think if you were to look at what happened in 2022 That was when the whole Russia invading Ukraine scenario played out. So I think if I'm, you know, putting on my critical thinking hat, I pretty much know where all of the resources were going in 2022. And I think in 2023, what we're seeing is,
these hacker groups are back needing to, to make money because there's been some things that have been done. I'm not going to get into a political or a geopolitical, uh, conversation. That could be a different show. We'll see. But, essentially, there was a lot of distraction happening and now they're out to make money again.
[21:00] The Evolving Landscape of Cybersecurity Attacks
So If I'm, if I'm seeing what's happening, there's been a lot of ransomware, and, and it's so funny because I'm sure you're sitting there thinking, ransomware, wasn't that so, like, 2018? It was, but it, it still hasn't necessarily gotten any better. I mean, there was a large Australian port that was paralyzed from ransomware.
Couldn't ship, couldn't really do much of anything. Las Vegas casinos were basically havoc...was being wreaked by some ransomware. You heard me mention Clorox. There was a shortage of goods caused by ransomware for Clorox. So, there's less. Sanitary wipes and other things. And then there's been some disruption in Treasury market.
So, you know, I was looking at this and I saw that there was a 33 percent increase in just the three quarters of 2023. Because we're not done yet. We're still in the fourth quarter over 2022.
[00:22:00] So, the targets continue to be US, UK, Canada. India is a growing market for these attacks, Pacific Islands, Africa.
So, what does this all have in common?
That's where a lot of the money is. And, what is ransomware after? It's not always looking at destroying. And, I would say, most of the time, it's designed to make money. So, they want the victim to pay the ransom. And, I'm sure you're wondering, like, why hasn't something been done about this? And you have to look at how the tactics of these ransomware groups really unfold.
It's honestly guerrilla warfare. They come together in these small, surgical stripe type cells. They're active for a while.
[00:23:00] They make money, and then they dissolve back into the ether. And then they'll reassemble later as a different group. And it's not always the same people as we've, we've discovered, but they, they typically act like a franchise of a much larger organization and they're getting some, maybe some of that initial funding or tooling or other things.
From the dark / deep web, and there's this whole healthy exchange, uh, and I, and I'm saying this with a smile because it's not healthy for, for those that are victims. But if you are an attacker, your job is getting easier and easier, and some of that we already talked about when it comes to, you know, leveraging the, the whole GPT and the Gen AI, uh, tools that are out there.
[00:24:00] So, when, when I look at kind of the, the year in review, the hacker groups that are most active has been LockBit, ScatteredSpider, and ScatteredSpider is interesting because this particular group, they are very focused on social engineering. So they're calling help desks. They're calling the, you know, kind of the IT service NOC SOC claiming to be a user. I got locked out. They have just enough information where they can. Get a password reset or a token reassigned or something to gain access to a system. And then what are those attackers do? They move laterally. So that is what happened to Clorox. That's what happened to MGM.
We can dissect the anatomy of that attack, I think, on a different show. But really what, what happens is when the ransom is paid, that's kind of what we don't want to happen.
[25:00] Building a Resilient Infrastructure Against Cyber Threats
But in some cases, these organizations don't have any other choice because they didn't have a good, robust backup strategy. And there's something that I've been talking with clients a lot about recently, which is building a resilient.
Infrastructure, resilient cloud, resilient DevOps, resilient applications overall, and what we're trying to get to is you should be able to suffer a complete loss and be back up and running in a predetermined amount of time, and it shouldn't be months. It shouldn't be weeks. It shouldn't even be days.
It should be a number of hours. So there's a lot we could unpack there too, but what I want you to take from this is these hacker groups are operating typically in nations where law enforcement is very, very, uh, difficult to implement in these regions, and they're preying on our desperation of continuing to conduct business, [00:26:00] and that is why this is such a big deal.
Uh, large problem because there's so much money to be made when you're looking at organizations like MGM, the figure hasn't been disclosed, but the idea was that it's tens of millions of dollars. And can you imagine if this hacker group is just three people and it's all paid in Bitcoin? I mean, that's.
That's like set for life kind of money and not in a good way for us, but something that we should be thinking about. So don't always think of this as necessarily just the, the monetary side of things, there's also the threat of leaking sensitive information. And I was just at a conference a couple months ago.
[00:27:00] And we talked about a third type of ransomware that's starting to appear, especially in healthcare scenarios, where they don't steal your data. They don't lock you out of it. What they do is they actually change key parts of the data, and you're not sure what they changed. So you can imagine how this would impact a healthcare organization where, let's say that they're changing patient data.
They're changing maybe how much potassium you're supposed to give a patient or what dose of medication. And can you imagine if they would then come at you with the ransom and say, We changed a bunch of stuff. I'm not going to tell you what we changed, but in essence, if you don't pay this ransom, people will and can die because of the information that's been changed.
Kind of scary.
[00:28:00] So, these are things that I think are driving this whole unhealthy attack surface, and there's a lot of things that can be done about it. I think what we need to do as a security community is dissect some of these attacks. Look at what happened in 2021 with the colonial pipeline.
Look at Clorox, Shell, MGM, ICBC, Boeing. I mean, I can keep naming names. And I feel that's part of the problem. If I can continue to name these names, why have we not learned our lesson? And as a security practitioner, I can, obviously hindsight is 20/20, I can look back and say, here's how we could prevent that.
[29:00] The Need for Proactive Cybersecurity Measures
So I think we have a duty as security, you know, practitioners to speak with our boards. And talk about the very real challenges that could take place. And that's kind of wherein lies the problem. Most of the time I think security is looked at as insurance. Well, let's just get that cyber insurance.
Well, let's just do the minimum so we can pass that audit. Or, be compliant with SOC 2 or ISO 27001/2 or NIST. I mean, I can keep naming frameworks, and I think we're missing the point. I think that the ultimate point is for us to create that resilient organization and to properly mitigate risk. And I, I feel like we just need to do better.
[00:30:00] So I will give you a little silver lining about this whole ransomware topic. I was looking at this this organization called the Ransomware Task Force and they're a non-profit and they have 48 actions that a public or private organization can take to help mitigate attacks. I think the information is great.
Some of it you may know, some of it you may not know. So I would urge you check that out in a search and take a look at it because I feel like this problem isn't going anywhere. It's going to continue to be in the headlines. And I would much rather us all take a look at this and be armed with a little more information.
And it's hard. I mean, some of us have shifted to work from home. And some of us are at home or, as I like to say, we're anywhere. But we're maybe anywhere only a couple of days a week. But that in itself has made our attack surface as organizations that much bigger.
[31:00] Adopting a Zero Trust Approach in Cybersecurity
So that's why I'm urging we need to bring security closer to our endpoints, closer to the application, closer to the data, and we need to move away from this.
And I'm going to say the old way of thinking, which is the castle moat perimeter type approach. The buzzword of last year was zero trust networking. The buzzword this year is AI, but I think if I'm going to leave you with anything, it's that we need to stay focused on. A true zero trust approach and start to treat our internal networks just like the Internet and protect our devices, users and data a lot better.
So thanks again for joining me today and we'll see you next time on the show, which is the State of Enterprise IT Security Edition. Thank you.