[00:00:19.320] – Matt Fusaro
How are you doing?
[00:00:20.570] – Jason Pufahl
I think people can tell it’s trying to be a little more light-hearted already with this one.
[00:00:24.900] – Speaker 2
[00:00:25.890] – Jason Pufahl
Yeah, stealing pens and rolling into it.
[00:00:31.310] – Jason Pufahl
So this episode, focusing on really the important news that we’re seeing in the security industry, cover a little bit about what clients seem to be asking for recently. So a little bit more light-hearted than a couple of the other episodes I feel like we’ve recorded recently.
[00:00:51.410] – Jason Pufahl
I think we can start really with big news, the acquisition of Mandiant by Google. I think it’s Google’s second-largest acquisition in their history.
[00:01:02.220] – Steve Maresca
For the paltry sum of $5.4 billion, which is pocket change.
[00:01:07.020] – Jason Pufahl
Pocket change. What are they buying and what value does it have to Google?
[00:01:12.800] – Matt Fusaro
Whatever it is, it’s beta now.
[00:01:14.680] – Jason Pufahl
It definitely is beta.
[00:01:17.970] – Speaker 3
Do you think Mandiant’s now in beta forever?
[00:01:20.330] – Speaker 2
Or it will just disappear-
[00:01:21.520] – Speaker 3
Yeah, that too.
[00:01:21.080] – Speaker 2
[00:01:24.270] – Jason Pufahl
Actually is Google Docs and all, Is that still in beta or is that a legitimate product.
[00:01:27.820] – Speaker 3
That might be out of beta?
[00:01:28.690] – Jason Pufahl
I think it’s out of beta.
[00:01:30.390] – Speaker 2
Who’s to say?
[00:01:31.260] – Jason Pufahl
It doesn’t matter, but it works. But will it be more secure now moving forward?
[00:01:36.230] – Steve Maresca
That’s hypothetically the play. So Google acquired, or announced a deal to acquire Mandiant for 5.4 billion which, if anybody’s not familiar with the name, you might have heard FireEye instead, which is really the corporate entity. The goal is to really acquire the company and all of its capabilities to support Google Cloud, or at least that’s what the Newswire suggests.
[00:02:01.140] – Steve Maresca
Ultimately, this is consistent with a lot that Google does. If you’ve heard of VirusTotal, if you’ve heard of Project Zero, Google has a lot of investment, even if it doesn’t improve their bottom line in security research in general.
[00:02:17.020] – Steve Maresca
And philosophically, they make acquisitions that help selfishly protect Google infrastructure. In this case, they’re trying to straddle the line between their own stuff and their customers. So they’re trying to differentiate a little bit relative to Azure and to Amazon-
[00:02:36.450] – Jason Pufahl
To influence in the Cloud computing space.
[00:02:39.010] – Steve Maresca
[00:02:39.420] – Matt Fursaro
I think there’ll be actual products coming out of this that are now Google-branded. It might still be things that Mandiant has always done, but they’ll either be repackaged inside a GCP or something like that, that is accessible in that consumption model they have.
[00:02:52.610] – Steve Maresca
I’m a little interested, Matt, you might be, too. We know from our own history that Mandiant and FireEye have some real expertise in-house with respect to memory analysis and hypervisors. And if they’re acquiring this to some degree to bolster Google Cloud, that might produce some really profoundly interesting stuff near and dear to our hearts. But time will tell.
[00:03:17.650] – Jason Pufahl
That feels like enough, probably. Let that develop more, see what actually comes of it.
[00:03:23.830] – Jason Pufahl
Another recent bit of news, I think, is SISA and the announcement. I think what struck a chord for me probably was the more stringent reporting requirements for a larger set of businesses than we’ve traditionally seen. There’s certainly more to it, but I think that’s going to impact everybody.
[00:03:47.630] – Matt Fusaro
So as part of the strengthening American Cybersecurity Act, I think that got pushed into the one and a half-trillion dollars spending bill that recently, I believe-
[00:03:57.250] – Jason Pufahl
Yeah that number sounds right
[00:03:59.990] – Matt Fursaro
Pushed through. I could be wrong on whether it’s actually voted in or not. I think it is.
[00:04:02.730] – Speaker 2
Yeah, it’s been signed.
[00:04:05.570] – Matt Fursaro
So as part of that whole package, they now have reporting requirements to support covered entities. So covered entities for them would be critical infrastructure. So if you’re any type of that, you’re going to be under this. So energy, chemical, financial services, dams, manufacturing in some areas, even information technology.
[00:04:28.520] – Matt Fursaro
So they have some broad terms, I think, on purpose, and I think they’re going to try and broaden that even more to have a 72-hour requirement to report any type of cyber tax that happened, any ransomware payments that happen. And they’re looking for details on it, too.
[00:04:45.810] – Jason Pufahl
Well, I think if there is a ransomware payment, they’ve shortened that to 24 hours. So I think that’s even a shorter time requirement.
[00:04:52.250] – Matt Fursaro
Yeah, I’m not sure if they’ve taken that down. I’m sorry, yes, you’re right. So, 24 hours within the time of the payment. So I guess 72 hours of the incident, 24 hours within the time frame of payment, they want to know where you sent it, how much you’ve sent.
[00:05:09.710] – Matt Fursaro
And as far as the incident is concerned, they’re going to want to know what happened, what you have in place to prevent it from happening. If you have vulnerabilities that were exploited, you’re going to have to report on those things. And if you know anything about the actor, they want that information.
[00:05:26.590] – Steve Maresca
So this serves a couple of purposes. On one hand, the 72-hour time frame makes this consistent with GDPR reporting timelines, which is quite interesting to me. It’s consistency on an international level for anything in the EU and US sphere.
[00:05:44.210] – Steve Maresca
But you’re right, Matt, that it has a lot to do with situational awareness, to help US defenses, feeding information from the actual private sector up into DHSNC. So just to help disseminate that information to better defend everyone.
[00:05:59.600] – Matt Fusaro
There was a lot of controversy around this, too, because the FBI really wanted to be in the reporting path of this. They’re not. So we’ll see how that develops. My guess is if the FBI wants it at some point, they’re going to get it.
[00:06:15.530] – Matt Fusaro
But I guess that kind of leads me to what happens if you don’t. So far, it’s kind of a slap on the wrist, “Hey, you should have done that.” What they’re saying is that they have the ability to subpoena you if you don’t report to them. It’s a bit of a process, so my guess here is that it’s going to have to be worth the effort for them to go out and subpoena you for that information.
[00:06:41.030] – Matt Fusaro
I’d watch out for that, becoming a little bit more strict, financial fines on top of that. We’ll see how that develops. But I’d say be prepared to start reporting this type of information and find out, quite frankly, if you’re a covered entity under this act or not.
[00:06:56.470] – Jason Pufahl
Well, it’s just another example of the security space becoming more formalized. We’ve seen this evolution over the years. There’s a variety of drivers. We spoke a little bit in the past about cyber liability insurance and insurance carriers making companies be more formal, certainly GDPR and some of the regulatory requirements.
[00:07:16.070] – Jason Pufahl
In certain ways, from my standpoint, it simplifies some of the incident response work that we do and standardizes the reporting a little bit more. We always talk about reporting early on in incidents. This clearly makes that even more front and center.
[00:07:31.140] – Jason Pufahl
And then to your point, if you’re going to report, the questions are going to be what type of security program do you actually have in place? And are you tracking ongoing improvements and the gaps that you have? So you really do need to have some written security plans in place. You need to have an understanding of where your vulnerabilities are and demonstrable evidence that you’re making some sort of progress against that.
[00:07:55.010] – Steve Maresca
I think this will be a bit of a shock to the system for organizations that have not been historically prepared, which is atypically true on the international sphere for US companies because there hasn’t been a regulatory environment that actually mandates this sort of thing.
[00:08:15.410] – Steve Maresca
There will be a net improvement, but my expectation is that many orgs will spend a fair amount of time simply trying to understand what to do appropriately without a lot of internal familiarity with those requirements.
[00:08:30.040] – Jason Pufahl
I mean, I think to Matt’s point, though, there’s not going to be a huge penalty right out of the gate. I think this does standardize some of the requirements a little bit. And I think if you’re making that good faith effort, I don’t think that there’s going to be huge penalties as a result. Yeah, for sure there’s going to be some overhead for companies as they mature into this. But just being aware of the issues, I think is important.
[00:08:54.200] – Steve Maresca
I mean, speaking from actual experience in reporting things to SISA and federal reporting bodies for information disclosures, they absolutely behave appropriately. If it’s an accidental disclosure, if it’s a small incident, they simply say, “Thank you,” and then move on and close the case. They’re not trying to make something onerous that’s honestly reported because that would discourage everything.
[00:09:19.160] – Matt Fusaro
I think there’s going to be a little legal battle on this one only because they do say the word solely a lot in their language when they’re talking about whether this information can be used in their court or something like that. What they’re saying is they can’t solely use the report, but that means that it could be part of evidence of investigation.
[00:09:45.210] – Matt Fusaro
I’m sure that will get battled out a little bit. We’ll probably have to wait and see if there’s any actual court cases that give some precedence on this one, but watch out for it. I think you’ll probably be hearing more and more from SISA over the next year or two.
[00:09:58.610] – Jason Pufahl
Yeah, for sure. So transitioning then from the new requirements to report to maybe a company that recently may have been a victim of a chat group called Lapsus Okta, did they report soon enough? Do we have enough information about that? I think that’s something that has people on alert, certainly given their relevance in that authentication space.
[00:10:23.890] – Steve Maresca
So for those who aren’t familiar, Okta’s a company that deals a lot with identity Federation, identity management. And the first thing that they really did well was multifactor, among other things. But that is the particular case here. It has to do with defending logins and making sure that people who are who they say they are. Reasonable preamble, point is that they help companies defend their own equipment.
[00:10:50.730] – Matt Fusaro
It’s ironic that they’re a zero-trust company now. Trust no one except when we have a cyber incident.
[00:11:01.900] – Jason Pufahl
The hack, though, the information that came out is Okta ,as a company, wasn’t hacked. But it was the data they had on their clients, perhaps, that was a component of the sale.
[00:11:14.470] – Matt Fusaro
I think some of that’s still coming out.
[00:11:16.520] – Steve Maresca
Without a doubt developing.
[00:11:18.850] – Matt Fusaro
As of this recording, we still haven’t gotten an official statement from Okta, they haven’t put one out yet. We’re really finding out a lot about this this morning, that there was an incident back in January with a third party sub-processor, I think, is what they’ve said so far. Which, sure, it may not have been one of their ordained people, but it may still have been their system.
[00:11:42.190] – Jason Pufahl
It’s really difficult to know. If you put yourself in Okta’s shoes, they want as much information as they can to release so that they can reduce the amount of questions that people have. And two months seems like a long time when you throw out, say, mid-January to now, was there an opportunity before this maybe to disclose this information?
[00:12:03.640] – Jason Pufahl
They’re a really important player in that authentication space to be really general about it. And it’s not a small vendor, it’s not somebody that people don’t have basically the bulk of their infrastructure tied to when they use this product. It feels like it should’ve come out earlier.
[00:12:22.270] – Matt Fusaro
Yeah. Is that critical infrastructure these days? I don’t know.
[00:12:25.740] – Jason Pufahl
It feels like it.
[00:12:27.730] – Steve Maresca
There’s an argument to be made for that, but unless compelled to report, unlike our previous subject, the reflex is to treat it as a PR exercise to minimize negative impact and paint the rosiest picture. They are inherently at odds with one another, and it’s why we’ve seen companies be a bit reticent. Now, they may legitimately be operating without full understanding. We need to give them the benefit of that-
[00:12:55.640] – Jason Pufahl
And I expect they probably are.
[00:12:57.380] – Steve Maresca
But there are certainly other examples of vendors that could have alerted sooner, Black Bot at some time in the past. The point is there is a conflict there in preserving the company’s reputation and delivering good information without painting a poor picture. And potential victims want information as soon as it’s possibly available, and it might not be.
[00:13:22.980] – Jason Pufahl
Yeah, I just think your trust comes as a result of transparency. And in my opinion, even if you don’t have all the details, I think getting information out as soon as you can, I think, is valuable and is often well-received.
[00:13:35.350] – Jason Pufahl
And I get that that means a lot of work for Okta, fielding questions that they may not have the answers to, so it’s a really difficult decision to make. But nowadays, two months seems like a long time to me and I feel like a little more information should come out.
[00:13:50.900] – Steve Maresca
So were there any follow-on effects to the other vendors that were effectively exposed as a result of their hack potentially?
[00:13:58.510] – Matt Fusaro
I haven’t seen any of that personally. I know that as far as what’s associated with it, I know there is talk about the possibility of the Nvidia hack, possibly Bridgestone, there was another one too. I’m trying to remember.
[00:14:12.870] – Steve Maresca
[00:14:15.730] – Matt Fusaro
Actually, that’s the biggest tie-in, is the same group just recently released partial source code for Bing, a couple of other services as well. So this Lapsus group that they’re expecting did this, a lot of interest right now. They’re making a lot of noise.
[00:14:37.110] – Jason Pufahl
And reasonably new is my understanding.
[00:14:39.790] – Matt Fusaro
[00:14:43.730] – Jason Pufahl
Any follow ups on there before we segue into…There’s one thing in particular our clients are talking about that I want to hit on.
[00:14:50.720] – Steve Maresca
All it says it’s developing. I expect this to make more waves in the next few weeks and it’s not going to go away. We’ll probably talk about it again.
[00:14:57.940] – Matt Fusaro
[00:15:02.390] – Jason Pufahl
It’s kind of interesting because I feel like the last couple of podcasts that we recorded, we talked a little bit about incident response, how to detect incidents, some of the preambles around table-tops. It seems like all of a sudden to me, we’ve gotten probably a half dozen discussions over the last couple of weeks with clients around that need to do table-tops and better formalize that.
[00:15:24.790] – Steve Maresca
So what is table-top exercise?
[00:15:27.590] – Jason Pufahl
So a table-top is really running through an example scenario of a cyber event, in our case, in a cyber event. But really it is an exercise to demonstrate staff’s competence responding to an incident of some sort. So we typically do them for ransomware attacks, insider threat, technology-based attacks to some degree, trying to understand what the staff’s response might be around that.
[00:15:58.310] – Jason Pufahl
It’s great, in my opinion, that we’re having these conversations because it does exhibit more interest in being prepared before an incident or an emergency happens. Too often, we’re called in when something actually bad has already happened and we’re there to mop up a mess. I think they’re great conversations and we’ve performed a couple, even.
[00:16:17.150] – Steve Maresca
It’s one of those things where you build a plan, it should not be expected to survive an actual first contact with a true incident because-
[00:16:26.620] – Jason Pufahl
It’s just your plan.
[00:16:27.600] – Steve Maresca
It’s a best effort at that time. But until you’ve gone through the motion with a real-world event, or simulated, you frankly don’t know where the holes are. And contrived incidents are certainly artificial in the name, I suppose, but they still are realistic enough, especially with the right participants, that you can derive real value. Lessons coming out of them might improve your planning, might improve the people that need to be involved, that sort of thing.
[00:16:57.690] – Steve Maresca
I think the important thing to know about table-top exercises is that they can be very simple in that your key technical staff is at a conference, they’re not reachable because it’s in a different time zone, you have a major issue. What do you do?
[00:17:14.030] – Steve Maresca
And walking through that from a communication standpoint, from a triage standpoint, all of that in absence of people who are hypothetically your go-tos, you get some really important outcomes from simply thinking about it like that. It’s just a simple example.
[00:17:30.360] – Matt Fusaro
That’s a good point, too, Steve, is that you don’t have to make complicated examples that you’re trying to walk through. It’ll help you do them more often, too, if you keep them a little simpler. Really, the goal here is to develop some muscle memory when an incident happens so that you know what you got to do when something happens, what your role is, what everyone else’s role is, instead of trying to figure that all out in the fly.
[00:17:55.010] – Jason Pufahl
Yeah. I feel like we’ve had enough conversations just in the last few weeks that doing a dedicated episode on table-tops, and running through them, and what these things might actually look like, and frankly, how much time you need to dedicate, and what some of the outcomes might be would be worthwhile. So I think we’ll look to do that probably upcoming.
[00:18:12.910] – Steve Maresca
What’s your organization would be well primed for a table-top exercise, just as a closing thought, because we’ll get into that another time.
[00:18:21.530] – Jason Pufahl
I was almost going to say what organization wouldn’t be? Certainly we do a lot of work in higher ed, manufacturing, some health care. Every single one of them, I think, has value there.
[00:18:32.560] – Steve Maresca
I’m thinking more about maturity. You’ve already made a plan, you’ve identified maybe the steps and the people involved, and you want to test it. You have some minimum level of preparation involved.
[00:18:44.460] – Jason Pufahl
So you know what I think I want to say, everybody who’s listening to this, tune into the upcoming episode where we’ll talk about that a little bit more.
[00:18:56.130] – Jason Pufahl
It’s more a question of how do you develop your simulation and I think you develop that simulation based on the maturity of the organization. That’d be my short answer, we can spend more time on that in the future.
[00:19:08.670] – Jason Pufahl
So I think in closing, we covered a few things. Certainly, you want to keep an eye on that Okta situation. Understanding the notification requirements that SISA has imposed, I think, is certainly valuable. Another acquisition, I guess, on the Google space, people will watch that if they want to.
[00:19:26.710] – Jason Pufahl
But as always, we do hope you got some value out of today’s discussion, I think a lot of good information. If you’d like to follow up with anything that we spoke about, feel free to reach out to us on LinkedIn at Vancord. Suggest any future topics, we’re happy to cover them and we’ll talk to you soon. Matt, Steve, thanks for joining today.
[00:19:47.910] – Speaker 4
Stay vigilant. Stay resilient. This has been Cyber Sound.