Maintaining Secure Business Continuity With A Remote Workforce - With Sam Curry

The COVID19 pandemic forced organizations to transition to a work-from-home model - and many of them were unprepared for such a radical departure from the ‘normal’ security perimeter. Sam Curry, Cybereason's CSO, talks to Ran about the lessons learned from COVID19, and what steps should Cyber Security professionals take in order to be ready for a future outbreak.

Link To Cybereason's Guide on How To Maintain Secure Business Continuity With A Remote Workforce:
http://malicious.life/remotesecurity

Hosted By

Ran Levi

Born in Israel in 1975, Ran studied Electrical Engineering at the Technion Institute of Technology, and worked as an electronics engineer and programmer for several High Tech companies in Israel.
In 2007, created the popular Israeli podcast, Making History, with over 14 million downloads as of Oct. 2019.
Author of 3 books (all in Hebrew): Perpetuum Mobile: About the history of Perpetual Motion Machines; The Little University of Science: A book about all of Science (well, the important bits, anyway) in bite-sized chunks; Battle of Minds: About the history of computer malware.

Special Guest

Sam Curry

Chief Security Officer at Cybereason

Experienced Senior Security Executive with a demonstrated history of working in the computer and network security industry: product, engineering, security experience. Extensive publications and patents, big company and entrepreneurial track record. Multiple awards from industry, public sector and academic institutions. Personal mission to fulfill the obligation of security to the world.

Episode Transcript:

Transcription edited by @hakinadey

[Ran] Hi and welcome to Malicious Life in collaboration with Cybereason.
The COVID-19 pandemic had and still has a big impact on many aspects of our daily lives and one such major impact is that many of us, including myself, are forced to work from their homes.
This naturally has a great impact on the security posture of many companies, which is why I have with me today, online, a long-time guest of Malicious Life, Sam Curry, Cybereason’s CSO. Sam, great to have you back on the show again with us.

[Sam] Great to be here. Thanks for having me.

[Ran] And Cybereason recently published a guide to maintaining secure business continuity during COVID-19 for security people, with insights and advice from Sam and others in the company. In this relatively short episode, we’ll discuss some of the highlights from that guide and how COVID-19 is impacting cyber security in general. If you’re interested, by the way, you can find the guide at malicious.life/remotesecurity, malicious.life/remotesecurity.
So Sam, right off the bat, what problems did this radical departure from the “normal security perimeter” highlight?

[Sam] Well, I did an analogy almost immediately. I tried to think of something in nature that could be seen as similar. And I’m not a biologist, but I came up with crabs. It doesn’t sound good when I say it like that, but effectively, crabs have an exoskeleton. And as they grow, they shed it. And then they grow a new exoskeleton. And this was the equivalent of having an environmental trigger causing this molting, this shedding of the exoskeleton by an entire population of crabs all at once. And I say I’m not a biologist because crabs might in fact behave that way.
I’m just using this as an analogy, so please forgive me. But essentially, the predators note. And they go, aha, I can attack. And sometimes I say to CISOs, hey, you can do anything. You just can’t do everything. And the same is true for the bad guys. Yes, they can do a lot. And they can target things.
But in that moment, it was a feeding frenzy on the beach with all these crabs exposed. And we saw this immediately after the radical departure from the perimeter. We’ve said for years the perimeter is dead. It’s not. It exists. But now we’re going to be outside, not just part of the company, everyone. Critical functions that have never been outside will be tested. And they went after the easy pickings, mixing metaphors, the low-hanging fruit. They didn’t have to do the more complex things that were being theorized or that we as security practitioners suddenly worry about.
But I’m going to say that the most important thing is it’s a chance for a dialogue about risk with the business. And instead of saying, hey, if you just do X, you’re safe, you say, here’s what we’re working on and why we’re prioritizing some things over others. It’s how you manage it as a process, how you come back, how you talk about it.
Because the biggest problem in security isn’t whether you have strong authentication or not. It’s alignment with the business. And how do you come back? And how do you have this without frustration and to say, I’m not asking for toys.
I’m not just worried because it’s my job to worry, but that this is an iterative process. Your first derivative, your rate of improvement matters more than your static statute right now. And so to answer your question, it was like 2000(year) all over again, VPN and password resets became the number one problem again. And then everyone was in this fight or flight, what do we do next?
What do we do next? And it’s the calm afterwards where you get to test that.

[Ran] Part of the advice that you give in the white paper is, for example, I think it was advice given by Amit Serper, also a frequent guest on Malicious Life, is to have a day of preparation in the company.
Even if there’s no real reason, let everybody work one full day from home just to test how the company’s business behaves in such conditions. I thought it was a very good advice, something that I wouldn’t have done. Yeah.

[Sam] Yeah. The document that you referenced started with a list of things I worry about, not what we sell because of course we’re in the security space, but the security space is much bigger than what we do. Instead it was, as a security person, am I doing triage on? And then I said, wait a minute, turn it into blanks so that someone could read the categories quickly in a moment and say, okay, do I care, and they could put a number beside it.
They could say this is first, this is second, this is third. Amit’s advice there, and I gave some similar parallel advice, was if you have the luxury of peacetime, if you have the luxury of doing a drill, use peacetime. Do a test. Say tonight, everybody works, you say tomorrow everyone’s working from home. See how you do. It is a drill just like a fire drill. But if you suddenly have to work from home tomorrow, you don’t have the luxury of being able to take a day to do that.
And I think that’s the place we were in. And then everyone says, well, we should have used the peacetime well. And I think now that we’re going back into it, we have an opportunity to do exactly that. So anytime you’re in a situation where you’re going to have this radical change in your IT structure and how people work, there’s a chance to do a drill, to do a rehearsal, to do a tabletop, and use that time.

[Ran] Yeah, actually, a few of the things that came up in the white paper are things that I would never even consider like licensing. You know, daily routine, we don’t use so many licenses for remote operations. And then all of a sudden, everybody needs license.

[Sam] Yeah, this was something I learned years ago when I was doing more strong authentication stuff was we had SARS and MRSA, we had 9-11, we had the global financial crisis, terrorist threats. Suddenly, a population has to be at home.
I started to think in terms of I want burst licensing is what we were calling it. I want the ability to suddenly have a larger number than I normally subscribe to be able to get on a temporary basis. And it’s good that a lot of companies have done this, but just look at Zoom, right? They increased somewhere between 10 and 20x in a week. I mean, rumor has it, while I’ve spoken with Zoom a few times, rumor has it that that impacted the availability and cost of compute in Amazon because so many resources were being consumed.
At the same time, we had this massive draw on the supply chain for laptops. Laptops were rarer than toilet paper. And so the ability to roll out new infrastructure to host cloud computing workloads went down, which drives price up. So you suddenly could see a spike.
And I think in what we just went through, the industry responded by saying, we’re going to let you use this and we’re going to let you use that. Everybody had laudably a make sure people can use what they need when they need it and we worry about paying later. And that wouldn’t normally exist.
So in your planning, assuming that it isn’t a global financial crisis or a pandemic, you should be prepared to be able to negotiate or enjoy birth licensing.

[Ran] That’s just one aspect. And now we had a live drill, as they say in the military. You yourself probably were affected having to work remotely, etc.
What are the lessons that you learned personally from that experience?

[Sam] Wow. So it’s funny, I’m still working from home. Even as we record this, I can hear my children in the other room. But my productivity went up. I got more time back. However, my stress went up.
In my life personally, at any given point in time, I can say I’m in this state, I’m in a mode, and my priorities are ABC. I’m in home mode. Priority is wife, children, etc. Work comes lower. I’m in work mode.
Unless there’s a crisis, one or the other, these are things that come first in work mode. That went out the window.
So I’m not a morning person generally, but I find that my day is spreading out. And I’ve heard this from other security practitioners where some companies only had to maintain operations, say, eight to five or eight to six.
Now the employees are working around the clock. The clean divides in our life are gone, and that leads to stress. That’s my personal learning. And my wife and I, we found ways to adapt. And I have a very forgiving company.
But I do sympathize with people that don’t have that kind of time to work it out. And it’s not easy for anyone right now. And that might be more personal and answer than we’re looking for, but on the personal side, it is all about not even balance. It’s about scheduling time and then remembering I should be having some of that time too really hard. And I imagine it is for you too.

[Ran] Yeah. Actually, what you were saying about the spreading of the workday relates to some other great advice that I read in the guide about the availability of IT support to employees.
Another thing that needs to be taken into consideration since people are working in all hours of the day, IT support is super crucial when we’re all always working from home.

[Sam] Oh yeah. No, it’s IT support. It’s also HR support.
Stressed people make poor decisions. Awareness training might fall on deaf ears. And honestly, the baselines in security go out the window. So hey, normal behavior for a user during work hours is this. There are no more work hours. The applications they use are different.
The productivity went from being they sit down for an hour and use this particular process to they’ve got four running concurrently and they’re on more than one system. So productivity goes up, stress goes up, and then that starts to pay a toll in security and in operations.

[Ran] Maybe it’s a bit of a philosophical question, but do you think this pandemic will lead to a future world of more working from home, less traveling, maybe even better?

[Sam] Oh, I’d love that. I would. I would also like the kids to go back to school or to summer camp at the same time. Love them. They love me. But nobody should be 100% around each other.
But I do want to say that two things. First, I’m not convinced of this utopia coming. The reason we didn’t have it before wasn’t that we couldn’t do it before. I’ve heard some people say this acted as a catalyst to accelerate the future, but I’m not convinced of it. I look at the example of World War II. In 1935, there were women in manufacturing in the United States. In 1945, they were dominant in manufacturing. In 1955, there were less of them than in 1935, and there’s a bunch of societal reasons. We really need to understand what pulls us to the office. We’ve had a promise at the paperless office of a less travel world for years, of remote work for years. I think we will have more acceptance when we know how to do remote work, but a lot of other factors will go into whether or not that is the new normal.
And the second thing is there’s a third phase. We’ve got before, we’ve got during, and then we’ve got immediately after. It is not a return to before, and it’s not a hybrid. It’s its own thing. I’ll be specific.
The advice that Amit and I and others at Cybereason and beyond have given in this document needs to be revisited in the third phase, the going back. Because we all left, we all used new applications, we all used new systems, we all had new infections, and now we’re going to bring those never before seen things into the firewall. It is a figurative, perhaps, but it is actually a Trojan horse, meaning the things on your laptop based on your new behavior, the new things you click on, the new things you use coming inside is a combination that I don’t think there’s the urgency we had when we went out. The return is not just a return from Exodus.
It is a new state in and of itself. It demands CISOs and security execs and all execs think about it and look at the risk registry for it as a new state. Don’t just say, oh, we know how to do this, I’ll be back. Create things like clinics to give people help or to examine systems as they come back in and start your baselines again and start monitoring employee stress in new ways.
Because depending on where you are, certainly in my case, if I go back to work, my kids don’t go back to school yet. That is a recipe for disaster because how do we cover all those bases? You might wind up working from home for a while and it may not be the new permanent state.

[Ran] Yeah, I personally hope that it won’t be the permanent state because actually working from home kind of dispelled the utopian notions of how fun it will be because it’s more difficult than it seemed to me personally.
So last question, Sam, do you think people will be ready when this all happens again sometimes in the future?

[Sam] The thing about crystal balls is it’s hard to tell. I have done the decision tree because you can’t maintain all the what ifs and then come up with a reasonable probability. And I look at the end state.
So I say at any given point in time where I have something uncertain, I branch it. Do we go back within three months? Yes or no. Do we have a second wave? Yes or no. Does the economy rebound in a permanent lasting way? Yes or no. At the end of it, I’m reminded of something Winston Churchill is said to have said, never let a good crisis go to waste.
The biggest problem in security for all that I sell detection and endpoint product in my core business is not detecting. It’s not vulnerabilities. It’s not SIM. It’s not fill in the blank. It’s alignment with the business. And the way that you get there is by treating security as a process and having a regular dialogue and rolling up the sleeves and getting to know one another.
So we should not retreat as security people and we should take her as business people. We should take a seat at the table and make sure that we get this right the next time. I don’t know what the next time will be, but there will be one.
And my sincere hope is that we are more flexible, more adaptive, more of a connected, more of a safe world when that happens.

[Ran Levi] I really liked that saying. Don’t let a good crisis go to waste. Every crisis is an opportunity.
Sam, thank you very much. It’s been a pleasure as always.
Again, you can find Sam’s and Cybereason’s full guide at malicious.life/remotesecurity , malicious.life/remotesecurity .
And we’ll be back next week with a new episode of malicious life.
So stay safe, everybody.
ByeBye.