the CYBER5

In episode 56 of The Cyber5, we are joined by Ray O’Hara, Executive Vice President for Allied Universal.

We discuss the use of intelligence for corporate security programs, usually overseen by a Chief Security Officer (CSO). We talk about some of the challenges this role faces and how intelligence can be actionable to mitigate those risks. We also work through various case studies, talk about metrics for success, and what technology platforms are used to aggregate intelligence that might be useful in the future.

Four Topics Covered in this Episode:

1. Role Shift for Chief Security Officers (CSO)

• For many large organizations, the chief security officer is the chief strategist for organizing the holistic security strategy and obtaining board approval for the organization.
• CSOs are no longer in the day-to-day planning around “guns, guard, and gates.” Instead, they are more strategically focused on business continuity, emergency planning, and crisis management.
• Risk to business leaders drives the daily activities of CSOs. They need to understand that other business leaders may choose to work around the threat to execute against profit and loss.

1. Intelligence Sources for Chief Security Officers

• Having a dedicated intelligence analyst is an important asset to a chief security officer.
• Emerging markets, information on key suppliers, as well as competitor data is routine tasking for an intel analysis who is subordinate to the CSO.
• Since security is a necessary cost center on the administrative function within organizations, intelligence analysts need trusted partners to handle the collection and analysis side of intelligence, including social media. Additionally, intelligence analysts ensure that collection and analysis are tailored to business management requirements.

1. Sentiment Analysis Combines CISO and CSO Functions

• Negative sentiment analysis against a company's brand traditionally falls within the CSO's GSOC function. However, this responsibility is starting to move toward information security due to threats to confidentiality, integrity, plus the needs for availability of data, systems, and networks from the Dark Web. As long as coordination is present, it doesn't matter whose lane covers social media sentiment analysis.

1. Social Media Monitoring Critical For Reducing Executive Protection Resources

• Executive protection is expensive when a physical security threat escalates. Effective social media monitoring and direct threat actor engagement help to derive the most accurate protective intelligence. They can be a more cost-effective way to monitor the danger without having 24x7 surveillance.

In episode 55 of The Cyber5, we are joined by Nate Singleton, a security practitioner who was most recently the Director of IT, Governance, and Incident Response at Helmerich and Payne.

We discussed the conundrums of operational technology security within gas and energy sectors, including risks downstream and upstream. We also compared the aggressive and constant need for interconnectivity on the information operation technology sides of the house to show that events like the Colonial Pipeline ransomware attack are probably just the beginning of future attacks against critical infrastructure.

We also discussed what more major oil and gas companies can do to help improve cybersecurity for small companies critical in the oil and gas supply chain.

Five Topics Covered in this Episode:

1. Operational Technology is Built to Last, Bringing Nuance to Security

• Underlying technology controlling oil, gas, and energy PLCs runs on old Linux and Windows servers from 20 years ago and patching for upgrades is expensive and takes a lot of down time.
• Routine vulnerability scanning against an entire IP block often seen within regular IT environments can cause major damage, even resulting in the loss of human life, if not conducted carefully and properly in OT environments.

1. Interconnectivity Comparisons Between Legacy Silicon Valley Tech and Operational Tech Development

• Security takes a back seat in operational technology for the Energy Industry, just like it does for Silicon Valley product development.
• The bigger challenge is often integrating regular IT and application developments that need constant upgrades with OT technology that can’t take the upgrades on time. A “move fast and break things” mentality in OT could get someone killed.
• Ransomware and other malware events have the capacity to take down OT production lines for weeks, costing millions of dollars.
• While the Colonial Pipeline ransomware event only attacked the IT environment, it did not attack the OT environment, thus demonstrating the potential for future calamities to occur.

1. Attacks Against Oil and Gas are Geopolitical in Nature and Will Likely Get Worse

• Attacks against critical infrastructure are going to get worse and the attacks are often conducted by nation states who have the time to build exploits against the IT environment and are also leveraging sophisticated OT technology.

1. Strategies for Protecting Operational Technology in ONG

• OT security is protecting the IT administrator who can access oil rigs, energy systems, and OT devices.
• Reporting must make it from the OT systems to the corporate IT systems so they can see profit and loss. Therefore, many critical infrastructures use the Purdue Model to segment different layers in network infrastructure from the machinery to different levels in the corporate environment so customers can be billed. More granular strategies include:
• 1. Updated EDR products in the corporate environment
  2. Multi-factor authentication separating corporate and OT environments
  3. Separate domains for engineers’ ability to browse the internet and check email and upgrade software on the OT networks
  4. Robust firewall policies on the network layer controlling port protocol connectivity back and forth

1. Threat Intelligence for OT Security

• Integrating Indicators of Compromise (IOCs) into a SIEM has become an antiquated practice, but they are still valuable for OT environments since they are modeled around constant connectivity and up times.
• Client-specific intelligence of what threat actors are doing is most critical because the remediations will take place over weeks and months. A cost-benefit analysis is always going to be levied when allocating resources to fix vulnerabilities. A “block all” approach to threat intelligence is not going to work.

Episode 32 of the podcast covers how intelligence can be used to assess exposure and pricing risk for cyber insurance coverage.

• Q1 (01:13) What are the challenges for exposure and pricing risk as they pertain to cyber insurance coverage?
• Q2 (06:45) What questions are best to help understand exposure risk and pricing risk?
• Q3 (10:45) How can security stack maturity help underwriters understand and price the risk?
• Q4 (15:30) How can the disciplines around the intelligence cycle (plan, collect, process, analyze, disseminate) be helpful to underwriters?
• Q5 (18:22) How do you communicate these same disciplines to a non-technical board of directors?

Episode 5 of the podcast focuses on understanding the nuances around insider threat scenarios and features Gabe Ramsey, Partner @ Crowell & Moring.

• Intro (00:18)
• Question 1 (00:56) – Thinking about the team that comes together in an insider threat investigation, what does that look like? Both internal and 3rd parties.
• Question 2 (01:50) - Are there any common trends that you see with companies that are successful in investigating and, from your angle, bringing litigation against an insider threat?
• Question 3 (02:39) - Insider threat, its a very multi-dimensional problem, but all of the effort leads to some kind of legal action or outcome. From your perspective, what is the main network informational gap that you face in trying to prove the actions or intent of an insider?
• Question 4 (04:21) - I've spoken with CISO's specifically on data collection surrounding insider threat, and it seems that there is a general lack of comfort with the total degree of valuable information gathering that can be done within the scope of the law, largely because it seems invasive to the individual. That said with an insider threat situation, you are often trying to prove something that falls more in the realm of human activity, than pure network activity. What are some of the tools you recommend clients use to collect the necessary information to be able to make the right assertion about an individual suspected of being an insider threat, and how do you help them navigate this often-uncomfortable situation?
• Question 5 (07:28) - I've heard people talk about larger, more sophisticated companies allowing technical threats to dwell on specific systems so they can learn more about their motives through the actions they observe on the network, and with insider threat, I can imagine that there is a range of appropriate responses, from immediate separation to levels of overt or covert observation of the individual; from your perspective what does that look like, and what triggers lead to different actions, and what are the actions that companies end up taking?
• Recap & Key Takeaways (10:19)

Episode 3 of the podcast focuses on illuminating disinformation and misinformation activity surrounding the COVID-19 Pandemic and features Cindy Otis, Managing Director at Nisos, Inc. Outline:

• (00:00) Intro
• (01:43) Question 1 - The pandemic is obviously something that’s touching every person’s life at this point. Due to the overall disruption, do you think people are more susceptible to disinformation surrounding it?
• (03:48) Question 2 – What types of disinformation have you been seeing pushed out?
• (05:35) Question 3 - Who are the actors behind it? What are they trying to accomplish with it?
• (08:54) Question 4 – If I’m an employer, what can I do to help protect my employees from the influence of disinformation campaigns
• (11:38) Question 5 – We’re still leading up to 2020 elections - Are you seeing corona virus disinformation tied to anything election related?
• (14:58) Recap & Take-aways