Deception is an ancient tactic. It is a staple for attackers but largely ignored by defenders. It’s time for security to practice deception of their own. All laptops, applications, routers, printers, sensors, controllers, files, credentials and links don’t have to be real. They can be fake. We can fill our network with misinformation and traps. We can turn the tables on attackers, so they must be right 100% of the time and defenders only have to be right once. That means that we have to be more creative, business aligned, risk oriented and active. Take another look at FAIR, MITRE ATT&CK and MITRE Shield and consider a holistic approach that includes Deception.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Steve Preston, SVP of Strategy and Growth, TrapX Security.
Steve leads TrapX’s worldwide marketing strategy and operations, bringing over 25 years’ experience that spans global enterprises and high-growth startups. Named one of the 100 Most Influential B2B Tech Marketers in North America by Hot Topics, Steve has played a critical role in driving product strategy, building brands and driving record-breaking growth for some of the best-known software companies in the world including Rational Software, Documentum, RSA, Everbridge and CyberArk. He holds a BS Mechanical Engineering from Wentworth Institute of Technology.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
Hah! That might take a little time! Well, I grew up in a blue-collar New England town — youngest of five kids. I was an underachiever in high school, but I was somehow blessed with musical talent. I started playing the drums professionally at an early age. That’s what I did when I graduated — playing gigs and working menial jobs in factories and so forth. By the time I was twenty-one, I met the girl I would eventually marry and decided I needed to get my act together, so I went to college — for music of course. My college career as a music major didn’t last long. I just couldn’t reconcile it with my ambitions to marry and raise a family, so I transferred to Wentworth and got a degree in Mechanical Engineering — crazy. I married young, raised four children while my career transformed from Manufacturing Engineer to CAD Sales Engineer, to Product Management and finally Product Marketing. I still drum.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
I wish I could say there was a specific moment that inspired me but it was really more gradual for me. I always centered on complex technology — that’s where my technical/creative brain really found a home. I was at EMC, working in the corporate strategy team when we acquired RSA. A mentor of mine went over there to take an SVP role and connected me the CMO who was looking for someone to start a Solution Marketing team. It was an awesome role. I put a very talented team together and we really made an impact. That kicked off my career at RSA. It was very rewarding. I forged great friendships and learned a ton from amazing people — some of the very best in my opinion. Look the RSA family tree and you’ll find many of today’s security leaders. That’s what inspired me.
Can you share the most interesting story that happened to you since you began this fascinating career?
That’s easy. In 2011 we were riding high at RSA. I was working with a wonderful team — breaking new ground on an exciting security management strategy that would lead to the acquisition of NetWitness. We were rocking. Archer was flourishing and our message was resonating in the market. That RSA conference was especially fun. A month later we were telling the world we were targeted by an APT! There’s nothing more sobering than facing down a nation state sponsored cyber-attack. That’s a moment of truth. You very quickly learn as a team of engineers and executives responding to a military cyber strike you’re outmatched. I was a member of RSA’s crisis management team. It was an unforgettable experience. EMC and RSA executive leaders were brilliant. Everyone sold out for the common cause — heroic efforts everywhere. I learned a ton and aged quite a bit. It gave me great appreciation for any company that has gone through this.
None of us can achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
That’s a tough one because I’ve been blessed with a lot of help from great people. I have to give props to Dennis Hoffman and Tom Corn but Art Coviello, stands out and I’ll bet a lot of other people would say the same thing. He was the CEO of RSA while I was there. Art is a force in cybersecurity. We hit it off personally and he looked for my input on a variety of things, so we collaborated quite a bit. Art gave me opportunities and challenges that I thought were beyond my abilities. But Art is humble and by example, he taught me to be humble too — don’t take yourself too seriously — address a challenge, assemble the right team and give it a go. I remember during a particular RSA Conference; Art and I were kind of walking and talking. I don’t think we took more than 5 steps at a time without stopping so he could shake a hand or sign an autograph like a rock star. He was quick to remind me that he started as an accountant — pretty funny.
Are you working on any exciting new projects now? How do you think that will help people?
I am completely absorbed in my work at TrapX. I believe cybersecurity absolutely must change to match the threat landscape and to address risk in the “New Normal” of remote work and cloud services. I believe deception will play a critical role in making or new lives as remote workers more reasonable and secure.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
Have you ever painted a house? It’s pretty hard work. Imagine painting a big house, on a hot summer day. You’re up on a ladder in the sun, arm’s distance from the clapboard painting away. All you see is the color 3 feet in front of you. Paint Paint Paint. Sweating your brains out in the hot sun. When it comes to work, by all means, find life/work balance. Don’t answer weekend emails. Take your vacation time. And while your working — take some time to climb off the ladder and look at the house your painting. Reward yourself and see the progress you’ve made — envision how good the house will look when you’re done. You owe yourself that! Then get back up on the ladder and keep painting. I break this analogy out when people who work for me get frustrated and tired. We have to take a break — take a walk and appreciate what we’re doing. Hey, I’ve painted houses in the hot sun and that’s how I got through it.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
When I started, I viewed cybersecurity as mysterious and technical — the domain of engineers and hackers. It is evolving into a practice that is much more business aligned, risk oriented and proactive. I’m excited about the direction cybersecurity is headed and here are 3 things I think lead the way.
FAIR — Factor Analysis of Information Risk, championed by the non-profit group FAIR Institute which is widely recognized as one of the most important and influential cybersecurity organizations in recent times. I am very excited about this effort because it leads to quantifying cyber-risk in dollars and cents. The CISOs who have adopted this methodology are far better equipped to align to the business, communicate to the board and prioritize investments.
MITRE ATT&CK — This has immerged as the de facto framework and knowledgebase for attacker Tactics, Techniques and Procedures. ATT&CK allows you to select a group that’s more likely to target your organization, identify similar groups and follow their tactics and techniques through the kill chain to the platform and mitigations. This is very powerful. This excites me because it’s so complimentary to FAIR. FAIR defines vulnerability as the combination of Threat Capacity (MITRE Group) and Resistance Strength (Mitigation) Together MITRE ATT&CK and FAIR have the potential to quantify risk and mitigate it in an integrated framework.
MITRE Shield — MITRE recently published a complimentary knowledge base of what they’re learning about active defense. MITRE uses the U.S. Department of Defense definition of Active Defense as, the “employment of limited offensive action and counterattacks to deny a contested area or position to the enemy.” Engage the enemy to deny them a contested position. You should lock your doors and windows and maybe install surveillance cameras, but these are passive measures. Shield is different. It’s a framework for proactively engaging and disrupting attackers. It’s easy to see why, as a Deception advocate, I’m so excited about Shield. Deception comprises about a third of the techniques in the framework. ATT&CK and Shield offers a playbook to guard against likely groups and their TTPs, and a complementary framework for actively disrupting attacker TTPs.
These three, together are very powerful — imagine the ability to quantify risk, align to the business and communicate to the board — then execute within a framework that simultaneously prioritizes cyber hygiene while proactively disrupting attacks and minimizing risk.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
People will always be the weakest link — this is not new. However, working from home is new to many of us. This is the new normal. Remote work is here to stay and it’s ushering a new reality of distributed employees and resources. This is a huge paradigm shift and it’s really challenging security teams. Why? Because phishing has increased exponentially. Security must work on the assumption that attackers will work under cover of legitimate credentials and that’s a difficult thing to overcome.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
We had a new employee who started working remotely, a few months ago. Within the first month, this person was phished by “their boss”. The attempt wasn’t overly sophisticated. I’m sure a LinkedIn announcement triggered it. The attacker looked up the boss’s name and sent an outlook email asking for an urgent. (spoiler alert — it failed) What made this attempt so much more effective was the context. As a new employee, this person was more vulnerable. Eager to please and unfamiliar with their boss’s communication style, ethics and company policy this person was much more likely to respond to this attempt. Here’s the takeaway. In the new normal we are all more vulnerable. Many of us are working from home for the first time in our careers — more uncertain, more eager and more distracted we are simultaneously living more digital lives as we learn and adapt to a new work environment. This is incredibly fertile ground for phishing.
Security leaders need to develop an active defense strategy knowing that credentials will get stolen while they double down on education and awareness.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
Start by thinking about attacker objectives and that will bring things into focus. They are after the crown jewels — command and control over the network or access to critical information. They are most likely going to use legitimate credentials to gain initial access, then they’re going to escalate privileges and move laterally. Working inside out, I’d start with Privileged Access Management — those solution lock privileged access credentials in a vault and only allow access to critical systems through the PAM system. Then I’d look for a solution that can detect lateral movement. This is a big challenge. SEIM and UEBA systems are expensive and complex. They also generate huge alert volumes. A better place to start is Deception. Deception takes a different approach — it deploys emulated traps that act as magnetic sensors that draw attacks toward them and away from critical assets. This provides the duel benefits of risk mitigation because now you’re making the attacker guess which asset is real and high fidelity alerting because any interaction with a trap produces only true positives. Two Factor Authentication is another critical control. I don’t think this needs explaining but history will who that many breaches would have been avoided if MFA was deployed more broadly. Of course, there are more than three controls — I don’t want to oversimplify — a layered approach is the right approach. The big takeaway is that Deception is often treated as a “nice to have” maybe because you won’t fail and audit if you don’t have it. I think that’s shortsighted and perhaps shaped by a less up to date understanding of what Deception really is today.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
I think Managed Security Service Providers (MSSPs) and Fractional CISOs are a great option for organizations who don’t have the resources to design and build their own Security Operations Center. I would caution against nominating an IT person to take on the role without a strategy.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
The only thing worse than a breach is a breach compounded by botched customer communications. Companies should develop a critical communications plan. Don’t underestimate this effort. A critical communications plan accounts for what your message will be in the event of a breach. The message has to be vetted with legal, marketing and executive leadership. Critical communications require a comprehensive communication platform. Depending on your industry you have to decide how you’re going to ensure that customers and employees are notified on a timely basis and that you have a clear plan to remediate. All of this has to be carefully orchestrated particularly if the breach is material and you’re a publicly traded company. I’ve found that the market will cut you some slack and even give you credit if your breach notification is transparent, clean and rapid. Conversely, if you’re unprepared and you come across as evasive and slow then you’ll only prolong the agony and add lasting brand damage to an already difficult situation.
What are the most common data security and cybersecurity mistakes you have seen companies make?
I mentioned this before. Cybersecurity must become risk based. Relying solely on compliance to best practice and regulatory frameworks as a way of covering themselves and their company is a little dangerous. PCI DSS compliance, for example, does not make retailers immune from breaches. Security is incredibly complex. A large organization may have tens or hundreds of thousands of endpoints to discover manage and secure. It’s a never-ending battle. So, I can understand CISOs who believe the basics are hard enough and that risk quantification is too esoteric, but I believe the never-ending battle is precisely why CISO must become risk based. They have to equip themselves with the ability to have risk discussion with the business — to understand risk appetite vs tolerance and agree on how much risk the business is willing to take and how much security needs to mitigate. Otherwise the CISO ends up accepting more than they can manage.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
Absolutely and we talked about phishing earlier but let’s look at it another way. Say for example, your customer service reps, who used to work on campus in your call center, now work from home. You’ve issued them all secure new corporate laptops — great. When they VPN into your network, you can see them and control what they access. What happens when they’re not connected to the network? What are they connected to? How secure is their home network? Has their home router been patched? Do they know the first thing about patching their router? What other people are on the home network? What other games, toasters, printers, wearables and toys are on that network? Are they secure? The thing is, you have no control over that, and you can bet that that device will collect malware that will activate once the device is reconnected to the network.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
1: Remote work is the New Normal that means remote employees and accelerated cloud adoption. According to a recent PWC survey, 55% reported that most of their employees would work at least part time from home, up from 39% pre COVID 19. That’s an enormous influx of remote workers introduced into an entirely new culture and environment.
2: Phishing is more effective than ever. IBM X-Force observed since the World Health Organization declared the COVID-19 outbreak a pandemic on March 11, more than 6,000% increase in COVID-19-related spam, with lures ranging from phishing emails impersonating the SBA, the WHO and U.S. banking institutions.
3: Lateral movement is incredibly hard to detect. Credential misuse is a preferred attacker technique because once attackers are in the network as a legitimate user, there are a variety of ways they can access guest, admin or service accounts and escalate privileges to admin levels and freely move laterally. This puts tremendous pressure on security teams to find the proverbial needle in the haystack. At this point the economic scales of cybersecurity tip heavily in favor of the attacker. At this point attacking is cheap and low-risk and defending is expensive and complex.
4: There’s a popular saying in security, that the defender has to be right 100% of the time but the attacker only has to be right once. That’s because once an attacker is in the network everything is real. They learn from everything they touch and there is no penalty for getting caught but to get kicked out of the network only to simply get back in and pick up where they left off.
5: Deception is an ancient tactic. It is a staple for attackers but largely ignored by defenders. It’s time for security to practice deception of their own. All laptops, applications, routers, printers, sensors, controllers, files, credentials and links don’t have to be real. They can be fake. We can fill our network with misinformation and traps. We can turn the tables on attackers, so they must be right 100% of the time and defenders only have to be right once. That means that we have to be more creative, business aligned, risk oriented and active. Take another look at FAIR, MITRE ATT&CK and MITRE Shield and consider a holistic approach that includes Deception.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
I think one day we will all reflect on social media and see that it got out of hand. It is shaping a generation a generation of people in a way that really concerns me. We have to look at how, as fellow human beings, we see others, express ourselves, inform ourselves and value our privacy. Let’s look at how social media is enhancing that experience and degrading it.
Let’s put our phones down once and a while. During meals, while we socialize, while we drive (for goodness sake). Be more aware of the privacy you’re forfeiting when you leave location services on or share passwords or post pictures of yourself or your children.
How can our readers further follow your work online?
Visit our blog at www.trapx.com
This was very inspiring and informative. Thank you so much for the time you spent with this interview!