For anyone that's worked in information security for any period, Jeremiah Grossman is a familiar name. Having worked in security for two decades he's seen many industry cycles come and go.
Not content with simply being a professional hacker, highly acclaimed public speaker, published author, founder of WhiteHat Security, and current Chief of Security Strategy for endpoint security vendor SentinelOne, Jeremiah also holds a black belt in Brazilian Jiu-Jitsu. As InformationWeek put it, “Jeremiah is the embodiment of converged IT and physical security.”
Over his career, Jeremiah has been an admired advocate of the IT Security industry, but also critical of many aspects, such as the lack of vendor accountability to customers. So I was pleased to be able to get some time with him to pick his brain to get some insight into what he thought some of the most pressing issues are, and how we could best approach them.
We see the number of breaches on the rise and we hear a lot about nation-state actors and advanced threats. How many breaches in your opinion are due the lack of InfoSec know-how or available technology?
Very few breaches are the result of a lack of InfoSec know-how or available technology. Whether it was the breaches of Equifax, Home Depot, Target, Maersk, Sony, DNC, or thousands of others –each with the exception of perhaps Stuxnet –was entirely preventable. These breaches were the products of missing patches, simple misconfigurations, no multi-factor authentication, weak endpoint protection, and well-understood software flaws. The InfoSec community has seen every attack to exploit these a thousand times — nothing really impresses us anymore. It all boils down to a general lack of InfoSec basics.
Although it may seem from those outside the community that there is a lack of available security technology, that notion couldn’t be farther from the truth. In fact, it’s quite the opposite. We’re drowning in ‘hot new’ security products, yet another announced each day. What may be the biggest challenge in InfoSec is that we are seeing too much technology being thrown at today’s threats -- with the desperate hope that something will eventually stick.
While the bad guys are scaling up their attacks and becoming more deliberate, the InfoSec community is failing to match with the same speed and scale we are seeing from attacks.
What role does product innovation or awareness and education have to play in breaches?
Product innovation, awareness and education are huge when it comes to preventing breaches. In order to stop breaches from happening we have to know what we are up against, the motives behind such acts, and how adversaries are actually breaking into systems.
To better understand what innovation, awareness and education is needed most, we must have the data that comes from these breaches. This is something we’ve been thankfully getting better at over the years. And with aggregate investigations into this data, we’re better able to put the right strategies into place in order to counteract them.
For example, if a company is seeing an attack targeting them in an area where they are lacking proper defense measures, then they will need product innovation to cover that up. With the proper technology innovation and products in general, we’ll be able to react better and faster to incoming attacks. As attackers continue to scale, speed of the defense is everything.
You've spoken a lot in the past about incentives to do the right thing. Saying how those in the best position have limited incentives to make the right decision at the right time. What kind of incentives do you think need to be put in place?
Simply put: Financial incentives. While other colleagues may prefer governmental regulations, I’m personally partial to incentives that are purely voluntary and market-driven. If nothing else it’s incredibly difficult, if not impossible, for law and regulators to keep up with the shifting activities of online adversaries. I believe the best incentives models are the concepts of cyber-insurance and cyber-warranties. Cyber-insurance and cyber-warranties places those in positions of power to make the right decisions at the right time -- both for their company itself and for their customers.
Take cyber-insurance for example, which a significant number of organizations have already purchased. If an organization has a poor security posture, their cyber-insurance carrier may be inclined to spike their premiums to hold them accountable until corrections are made. The organization may also risk a breach claim not being paid if they didn’t uphold the contractual terms in their insurance policy agreement. This market force, which is really a business ROI analysis, puts extraordinary pressure on the business to take action quickly.
When it comes to cyber-warranties, security vendors become accountable for the promises they make about their products in black & white terms. What makes cyber-warranties so attractive and powerful is the fact that they lay out two fundamental premises:
1. What specifically the security vendor is responsible for
2. What specifically the customers is responsible for
If both sides uphold their end of the warranty, then good outcomes should happen.
However, if a breach occurs, and the cause was the security vendor’s product did not perform as contractually promised, then they are financially liable. Effectively, what cyber-warranty policies do is weed out fact from fiction. If a security vendor makes a claim about their product, a warranty acts as incentives for them to be true to their word. On the other hand, if the breach was the result of a customer not using the product as contractually obligated, then their warranty will not apply and they will suffer the financial penalty alone.
Cyber-warranty obligations provide a powerful incentive for both customer and vendor to work in true partnership to prevent against breaches.
That’s an interesting perspective, but it’s a long road. How can vendors make a start on this and what should customers ask for?
There are several things customers can do, and one of the biggest ones is asking their security providers what specifically in their product are they prepared to offer a warranty on. This could be a subset of all features, the entirety of products, or even just an SLA, depending on the vendor.
Think about it this way: When was the last time anyone or any business spent 5, 6, or let alone 7 figures on anything without expecting some kind of warranty in return? For some reason, only software and security get away with this as a market norm. It’s 2017 and, with $81B in collective InfoSec spending later, customers deserve better.
When it comes to security vendors, they should be able to measure statistically how well their product functions under certain conditions. Once they know how well their product works, then they can design a specific warranty. They’ll be able to estimate the expected failure and loss rates, just like in every other industry. And once that can be done, offering a warranty, especially one that’s insurance backed, can be offered confidently to the benefit of everyone.
Thank you for your time, what’s the best way for people to get in touch with you?
The best way to reach me and keep up with my thoughts is through Twitter.