In this podcast recorded at RSA Conference 2017, Rob Brownsword, VP of Product Marketing at Nehemiah Security, talks about how the most useful thing that you can do as the owner of a network of computer systems is to focus on cyber hygiene. It’s the most effective thing that you can do though to keep an adversary out.
Here’s a transcript of the podcast for your convenience.
So, Rob, there’s a lot of talk about innovation in the cybermarket these days. People joke about the buzzword bingo, machine learning, AI, in real time – this is not what you are here to talk to us about today. You’re here to describe cyber hygiene. Why did you decide on that topic?
Because the most effective, useful thing that you can do as the owner of a network of computer systems is to focus on that hygiene – is to make your environment as hard to penetrate as you can, and that’s a very broad topic full of a lot of unglamorous things with lots of human, roll up your sleeves kind of labor and ripe for automation, but not high innovation. Not high glamor. I’ve got to do all the patching, and I’ve got to do all the cleanup of old applications. And I’ve got… on and on and on. That’s the most effective thing that you can do though to keep an adversary out.
What are some of the biggest mistakes you see companies make?
The market that we’re a part of is full of innovation lust. Everybody wants to chase the like greatest new innovation, chasing the brass ring on the carousel kind of mentality. That’s great and wonderful and there are some wonderful innovations going on in the industry, but that does not replace the blocking and tackling you have to do to manage your health as a network.
Within an organization, whose job is it, this cyber hygiene we’re talking about?
It’s everyone’s job. Everyone contributes to the hygiene of the network – that’s true from the CEO of the company, right down to the mail room stock person. Everybody that touches a computer, everybody that opens an email, everybody that logs on to a computer or touches the network in any way, contributes to the hygiene or lack thereof in that environment. Humans are a huge part of that – they are notorious for doing the wrong thing at the wrong time. And so, part of hygiene is educating your users, practicing good behavior as a user of those computer systems, in addition to all the background stuff that you need to do to technically keep the environment clean and healthy.
In your experience or your opinion, what percentage of breaches can be traced back to something that you would call a cyber hygiene oversight?
I think that number is very hard to pin down, but is likely in the upper 90 percentiles. If it’s not social engineering, if it’s not an email, then it’s somebody forgot to change their password or left a password written on the side of their computer or it’s that they intended to do that patching before they went home that day and they just got busy and forgot.
Everything about the things that humans have to do to keep their environment safe contributes to that likelihood – although there’s no guarantees and I would never claim it was 100% because the really good adversaries out there will get past the very best offensives that you can make. But 99. something of them are made easier if not enabled by the lack of good hygiene somewhere in that environment.
Now, I know that Nehemiah Security is more than just a cheerleader for good cyber hygiene in this area, and that you have your AtomicEye ASM, which stands for Attack Surface Manager. Can you help me understand how AtomicEye ASM helps companies do this roll up your sleeves work that you’re describing?
Absolutely. As I mentioned earlier, there’s enormous amount of just blocking and tackling, and a lot of that is ripe for automation. I was just looking in a report from one customer that had 4000 individual cyber security vulnerabilities that they needed to address – that week. The manual effort involved in doing all of that, and that’s the traditional way to do it, is just overwhelming for most organizations. It’s too time-consuming; there’s nothing glamorous about it, there’s no obvious business advantage for doing all of it.
We have addressed that by trying to automate as much of that as possible. So, when we find vulnerable applications that aren’t being used anymore, the vulnerabilities are still there, whether they are being used or not. We’ll remove the application automatically, without human labor. Deploying patches is only a part of that – all the other security settings, all the other configuration items that are part of that good cyber hygiene can and should be automated, and that’s what ASM does.
I’m reminded of the shortage of cybersecurity experts in the marketplace. It sounds like this could be a booster for that type of a problem that companies face.
Absolutely. And this type of work is not the glamorous part that those very rare specialized people don’t want to spend any time doing. So, automating their job and making them more effective and cleaning up these cyber hygiene details, whether that comes from a vulnerability assessment or something more rich and business-oriented like AtomicEye RQ, the result is something that can and should be automated. So those very specialized people can focus on the really hard challenges of that environment.
You mentioned the term ‘innovation lust’. So as a final question, what do you think is the impact of these waves of innovation are going to be on the blocking and tackling hard work that you’re describing?
Innovation will always be finding improvements, ways to build or to safeguard an environment easier or more effective. But in general, they’re simply keeping pace with the adversaries, and how sophisticated and growing in capability they are. The studies all show that most successful attacks are caused by or are leveraging cyber weaknesses that are years and years old. Meaning somebody wasn’t exercising or enacting those vulnerability hygiene items – they were ignored. And that’s what the adversary ultimately used. The innovation is great and wonderful, and we need to continue to do that, but it is not in place of, it will never be in place of all the other things that came before that we can’t forget to continue to do, to maintain good cyber hygiene in your environment.