Remember to patch. Everyone knows they should be patching, but it’s still an overlooked step. Unpatched and old systems — especially when publicly accessible — will be breached at some point. There was a time when servers had to have 100% uptime, but that excuse is no longer valid. With the introduction of virtualization, load balancing, and a number of other options that can be used to mitigate the risk of downtime for the business, rebooting and patching should be a priority task as it helps avoid any potential threats exploiting outdated systems.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Michael Wilson. He leads the Technology division of the organization, which involves the vision, strategy, architecture, infrastructure, development, and production system operation of Nuspire and its clients. Wilson has a proven track record of delivering value to customers through custom built solutions in two previous cybersecurity companies, with a focus on differentiation, innovation, and execution.
Prior to joining Nuspire, Michael was CTO and first employee of FishTech for CYDERES (Cyber Defense and Response). There he started building their MDR platform, developed partnerships with Google and GCP, and grew the company to be a major competitor in the Advanced MSS & MDR space. Wilson also has experience working for FishNet Security, H&R Block, and Optiv. He is passionate about keeping the ‘startup spark’, leading teams, and will ensure we stop to celebrate the milestones. Wilson received his bachelor’s degree in Computer Information Systems from DeVry University.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
Growing up I was always tearing things apart and putting them back together, often unsuccessfully. I’ve always been fascinated with how things work, which drove my interest to improve them and make them better.
In high school, I started a side gig to make some extra money creating websites; who would have thought that I would discover my passion for creating — taking an idea and making it a reality. It was then that I decided to create video games and applications, which has been a passion for me to this day.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
In my high school years, I found hackthissite.org, and I was instantly fascinated with the hacking puzzles they had. I wanted more puzzles, harder ones, and to understand everything behind them. This led to a pursuit of trying to reverse engineer the tools that attackers used, to understand what was actually possible and what was just ‘Hollywood’ nonsense.
What I learned was that it isn’t quite as easy as they make it seem on TV, but I also realized that with the right motivation, time, and access to Google, almost anyone can be a new enemy to organizations — which meant that defenders needed to step up their game. I accepted that challenge, becoming one of the defenders, and it is this passion that has driven my career in information security.
Can you share the most interesting story that happened to you since you began this fascinating career?
There is a time I remember fondly that I was able to use my passion and expertise to help a major state university.
I had a honeypot hosted at my house (using Kippo) that enabled me to watch someone install EnergyMech (an IRC bot used to create botnets). Through that observation I was able to trace where it was coming from to a public IP range that was used by a college to host college senior projects (web development projects). I got in contact with the college to help them shut down the compromised infrastructure — saving the projects for the students.
This experience really motivated me to pursue that feeling of helping others.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
There is not one person that help me along the way, but multiple. I was fortunate enough to have a group of mentors ranging from CISOs, CEOs, and friends that helped me set goals and stay accountable, motivated me through hard times, guided me through making tough decisions, and always kept my book list full of new recommendations.
Are you working on any exciting new projects now? How do you think that will help people?
At Nuspire we are very excited about what is to come. We are currently working on a new platform that enables cybersecurity leaders to easily manage their security technology stack, integrate the data into proprietary platform for analysis and easily augment their team when and as needed. Essentially, we are creating a one-stop shop to customize, configure, change, and augment their security technology with new products, integrations and/or services. We are choosing to focus on a persona-based experience, making it as easy as possible to manage and improve an organizations security posture.
This is something that hasn’t been done before, and our goal is to help security leaders save time and reduce costs in the long term while drastically simplifying how they manage their company’s overall cybersecurity strategy.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
My advice to anyone pursuing or already in a security career is:
- Make sure you are following your passion. I am in love with building applications and passionate about helping customers stay secure, which is what drives me to be better at my job.
- When I feel burned out, I will do a no-tech Saturday. It is far more challenging than it sounds, but I highly recommend it. Leave the phone in the bedroom on the charger, keep the laptop shut, and stay away from screens. The only exception for me is my Kindle paperwhite.
- Make time for things you enjoy aside from work. Game jams (building a game in 48 hours), creating apps, and building drones on the side is usually my go to.
Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
There are many things that excite me about cybersecurity, but my top three have to do with the opportunities we have within the industry:
- Technology in the cybersecurity industry is only starting to become interesting. Security products are behind compared to the capabilities of the technology giants out there. Take an organization like Facebook who is extracting constant value from user data. The cybersecurity industry needs to put as much effort and investment into getting more value out of security data like Facebook does with user data for ads–if we did that the cybersecurity industry would be changed forever.
- Our protection model is changing from “castles” to “high-tech body armor”. We used to use firewalls, force all traffic through our datacenter, and put all our efforts into making those walls as big and strong as possible. Today, due to the pandemic, most workforces have been fast-tracked to partial or all remote. We have to think about how to protect employees no matter where they are. As a result, security needed to move to the endpoint (the high-tech body armor). Many organizations are being forced to embrace this and some are caught off guard without proper controls to protect their employees when they are not connected to the organization’s network.
- Often times in the cybersecurity industry it feels like we cannot win. Our adversaries are fast with zero-day vulnerabilities and are winning more often. They adapted to our controls and have already attacked native cloud functionality and services. I recently advised several organizations through a ransomware attack where organization was forced to decide if they want to pay for their data or lose it all and move on. Nothing is sadder than hearing a grown man cry in fear of their job and just wanting the incident to be over — if that doesn’t motivate us to step up our game, take cybersecurity seriously, and fund it correctly, nothing will.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
There are many critical threats we need to pay attention to. One threat that stands out is migrating the data center to cloud infrastructure without proper foresight and security controls in place; organizations must review their move to cloud and ensure that it was implemented securely.
The move to the cloud is often driven by the cost savings, but this is a massive undertaking especially considering the industry, in generally, lacks specialized resources. It is easy to let a small team start learning and migrating their environment to the cloud without understanding all the security implications; in the long run many issues may arise. For example, one of the most common sources of cloud data breaches is exposed S3 buckets. It is easy to host a website or store data in an S3 bucket with a focus on making the site or data available to complete the project. If the developers and engineers are not keeping security top of mind while doing this, it is easy to accidently make it public and not realize it. This is an issue that is fixed with just a checkbox. An expert would think of this requirement during the process whereas teams without the expertise wouldn’t necessarily take the correct steps, which will leave the organization open to threats.
It’s important to understand and invest correctly when migrating or adopting cloud technologies to make sure you don’t end up going backwards financially. A good recommendation is to rely on third-party expert providers that are equipped with the resources and capabilities needed since third-parties cost less than having a full internal team. Another option is to invest in a cloud management platform — either configuring built-in security checks in your cloud provider or leveraging an external tool that can monitor and alert on multiple cloud platforms. Just remember that the tool is only as good as the people you have running and monitoring it.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
I have been involved in quite a few breaches, and while each one has a unique twist and point of entry — the main takeaway is generally the same.
Practicing good security hygiene has a higher ROI than any single piece of technology, and in most of the incidents I’ve seen, it could have been prevented or stopped if good security practices — regular patching, encrypting sensitive data, IAM practices, MFA — were exercised. Security and IT teams need to lay the groundwork to keep the organization safe and continually reinforce those practices.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
I have an intensive list of tools I personally use, but the ones that are most beneficial for all are:
- Security awareness training — Every organization should have a security awareness training program. Phishing is the most common method attackers use to infiltrate an organization; they target the weakest link in the organization — users. Security awareness training helps employees understand their role within the security of the company and what can they do to keep themselves and the resources of the organization safe.
- End point protection (EPP) — EPP tools give security pros peace of mind that their endpoints are protected. If a device is compromised, the EPP tool will stop the process or delete the malicious file so the attacker cannot move laterally within the organization protecting the rest of resources from being infected.
- Network traffic analysis (NTA) — NTA gives organizations visibility into network traffic, if something is amiss, it will alert teams to investigate. In a nutshell, NTA tools intercept, record, and analyze network traffic communication patterns to detect security threats.
- Access Management / Single-Sign-On — Access Management tools are great for handling provisioning and deprovisioning, enabling two factor authentication, and giving users a simple and secure way to access the rising amount of cloud applications they rely on for work. It helps reduce the challenges of login from anywhere and gives further visibility to IT teams into who is accessing what no matter where they are based.
- Cloud Management Platform — Cloud Management Platform tools are great for managing complex cloud environments. These tools help optimize and manage cloud infrastructure from cost and operations to improve security and are especially valuable in a multi-cloud design where you need to monitor and protect data hosted in multiple cloud providers.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
Truly, there are only a few companies that can afford to have a full information security team with deep expertise and everything that it encompasses — being active 24×7, training, attracting talent, having the right technology stack, etc. However, there are different ways that organizations can create a proficient and cost-efficient security program.
No matter the size of the organization, there are numerous benefits of working with a managed security service provider (MSSP). Smaller companies usually don’t have enough resources to hire a full-time security team, whereas MSSPs have security professionals working around the clock to keep you protected. For larger organizations with a group of security experts, MSSPs can augment the team, handling the common and low-level alerts and incidents so that the internal team can spend more time improving their internal security program instead of watching alerts.
Hiring outside experts or deciding to hire an internal Chief Information Security Officer depends on several aspects, primarily the sensitivity and value of the resources that need protecting and budget allocation. Partnering with an MSSP also alleviates the challenges of building a team from scratch or expanding the current team’s capabilities.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
There are several things all employees and users can pay attention to in order to keep themselves and their organization safe:
- Keep an eye on ‘strange’ phishing emails from spoofed internal addresses or even emails with your company branding. The use of spear-phishing leveraging internal identities and branding is increasing, so be on the lookout and doubt information you don’t recognize or that sounds suspicious.
- Triple check and verify when you see emails asking to make changes to HR/Payroll systems, such as changes to direct deposit and personal information.
- If you have NTA implemented, monitor for regular connections to strange IPs outside of the country or to places you don’t perform business with.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
After a breach happens organizations need to take the following actions:
- Immediately engage Incident Response (IR) or Digital Forensics and Incident Response (DFIR) experts to help with remediation and investigations. Experts will help you understand what went wrong, the type of threat they are up against, and how to react — meaning the specific actions to take depending on the breach the organization is experiencing.
- Immediately protect the endpoints and backups, then isolate the infected devices. Ensuring that you have an endpoint agent in ‘protect’ mode to actively stop threats — not just alert mode is paramount. When you engage an IR team, the first step is often deploying an endpoint technology across the organization as quickly as possible to stop the spread.
The recent privacy measures are good news for our business. These new laws are important to protect us, and it is our role as a managed security service provider to ensure we have experts to help customers navigate these regulations while maintaining business operations.
That said, these laws are making it harder to get business started and slowing things down as new businesses have to be compliant in order to operate. However, regulations are important and should be taken seriously. If these regulations are making it hard to move forward, I recommend bringing in an expert to guide you through the process.
What are the most common data security and cybersecurity mistakes you have seen companies make?
The most common mistakes I usually encounter have to do with:
- Not patching/updating servers because they are ‘afraid to reboot them’
- Moving to the cloud without a strategy or security oversight
- Wrongfully thinking anti-virus software is good enough
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
COVID19 highlighted the need for a more resilient approach to security. We saw a sharp uptick of security errors, particularly around the lack of oversight and understanding around moving employees to remote work. Companies need more flexibility to allow employees to work from home and continue operating during the pandemic, but security cannot be an afterthought. In fact, we are more vulnerable now than ever before as attacks continue to rise.
With threats multiplying and capitalizing on the increase in remote work, it is paramount organizations understand that while enabling remote workers and utilizing cloud technology provides many benefits, if not adequately protected and planned with security in mind, the consequences can be devastating and will costs more in the long run.
Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
There are many steps that organizations can take to close the gap in data privacy, some of the most outstanding for me have to do with:
- Get a modern end point protection (EPP) agent. Make sure you have a modern endpoint agent that does more than monitor. Even the most sophisticated endpoint technology will not help if it isn’t blocking processes from running and removing malicious files. In most ransomware incidents, the first thing organizations need to do to ‘stop the bleeding’ is deploy a modern EPP agent to stop it from spreading. It’s better and less disruptive to the business if the organization deploys EPP ahead of time when there is no emergency than to race against the clock to save your data. Once again, just ensure it is in ‘protect’ mode, otherwise your investment could be useless.
- Rely on an access management tool. Passwords were meant to be broken. A good access management tool helps solve the risks with traditional passwords. With it, an organization is able to integrate their domain, SaaS applications, and even customer applications, ensuring every entry point is secured. Leveraging multi factor authentication (MFA) will significantly increase the barrier of entry into your network. In addition, it enables users to be more productive remotely while keeping resources secure. There is no excuse to not have MFA protecting your applications.
- Remember to patch. Everyone knows they should be patching, but it’s still an overlooked step. Unpatched and old systems — especially when publicly accessible — will be breached at some point. There was a time when servers had to have 100% uptime, but that excuse is no longer valid. With the introduction of virtualization, load balancing, and a number of other options that can be used to mitigate the risk of downtime for the business, rebooting and patching should be a priority task as it helps avoid any potential threats exploiting outdated systems.
- Have a security awareness training program. Users are the weakest link of the enterprise and with so many risks associated to their activity, the importance of training employees cannot be understated.
Phishing is still one of the most effective ways to infiltrate and profit from an organization. Keeping employees informed and alert will save big headaches in the long run. Even at other security companies we have seen convincing emails go to the HR teams to change bank account information.
5. Purchase an incident response (IR) retainer. There is no shame in asking for help. Make sure you have an IR retainer and decide if you should augment your security team or have an MSSP help monitor your environment before an incident occurs. If you wait until a breach occurs, you will spend significantly more money.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? Think, simple, fast, effective and something everyone can do!)
I have two ideas that I’d wish I could start a movement on.
The first one, more related to my career has to do with password management. I recommend you get a password manager, make sure you are not reusing passwords, and enable two-factor authentication everywhere you can. It still surprises me how many people are using weak passwords on multiple sites and wonder why their Facebook account was hacked. Passwords are engrained in our lives and they are known for being one of the weakest forms of security. This is something that is easily fixed and we need to raise awareness around.
On the other hand, I would love to start a movement to introduce the power of the “no-tech day”. One day a week or month to put our phones down and turn our screens off to enjoy life, reset, and interact with our loved ones. Social media and constant distractions from our devices can negatively impact our real interactions; bringing back personal connections and reconnecting with oneself should be a high priority in this hectic society.
How can our readers further follow your work online?
Although I am not overly active on social media, you can find me on LinkedIn.