“Knowing an action must occur” With Jason Remillard & Stephen Moore

Understand that few adversaries break in, they log in. They compromise credentials and log in to most networks and applications. Furthermore, the burden on the defender to uncover if an account has been compromised is so great that most simply give up. Lastly, this has changed not only how breaches occur, but also the definition […]

Thrive invites voices from many spheres to share their perspectives on our Community platform. Community stories are not commissioned by our editorial team, and opinions expressed by Community contributors do not reflect the opinions of Thrive or its employees. More information on our Community guidelines is available here.

Understand that few adversaries break in, they log in. They compromise credentials and log in to most networks and applications. Furthermore, the burden on the defender to uncover if an account has been compromised is so great that most simply give up. Lastly, this has changed not only how breaches occur, but also the definition of insider threat as the outsider masquerades as an insider.

As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Stephen Moore. He has been vice president and chief security strategist of Exabeam, Inc. since August 2017, and is also the host of The New CISO podcast. Moore has more than 15 years of experience in information security, intrusion analysis, threat intelligence, security architecture and web infrastructure design. Prior to joining Exabeam, Mr. Moore spent more than seven years at Anthem, in a variety of cybersecurity practitioner and leadership roles. He was the architect of the new 6,000 square-foot Anthem Cyber Security Operations Center in Indianapolis. Prior to joining Anthem in 2009, he served in a variety of roles at Sallie Mae (now known as Navient and Sallie Mae Bank) within the Web Infrastructure, Program Management and Information Security organizations. He served as staff vice president of Cyber Security Analytics at Anthem, Inc. and played a leading role in the response and remediation of the data breach announced in 2015. He has deep experience working with legal, privacy and audit staff to improve cybersecurity and demonstrate greater organizational relevance. Moore has been a Member of the Advisory Board at SecureAuth Corporation since July 2017.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

My family were farmers in the Midwest. As a result, we did not have access to much. I grew up in a trailer without any heat at the edge of a corn field. When you grow up poor in an agricultural setting like that, you have to think outside of the box, build new things and repair instead of replace. Farmers are some of the great original modern hackers. I mean the real definition of hacker which doesn’t have a criminal connotation; simply someone who learns how to take things apart, fix and improve things and reassemble them. They had to find unique ways to solve a problem or get ahead with little to no resources.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

I was a builder before I was a defender, and I was told what I had built wasn’t good enough. Early in my career, I worked for a company who provided student loans on the internet, which was a new concept at the time. During an audit of the system, there were a few folks who had raised several issues on the site that could have led to a security incident. I spent the next three years of my free time learning about information security. I started a local security group, took additional classes in security, paid for my own security training and even authored security course curricula. Turns out, I was hooked. After that job, I interviewed three times over three years to become a security analyst — I didn’t do well the first two interviews and was told I wasn’t good enough. At some point all the extra work paid off, and I became an intrusion analyst. I was a real ‘bull in a china shop’ — and I haven’t looked back since.

Can you share the most interesting story that happened to you since you began this fascinating career?

Prior to joining Exabeam in my current role, I spent more than seven years at Anthem in a variety of cybersecurity practitioner and leadership roles. While at Anthem, I was able to play a lead role in response and remediation of the data breach announced in 2015, which I would say would be the most interesting time of my career. Incident response, and certainly breach response, goes far beyond technology; it’s a pressure test of culture and security leadership. Every security leader, at some point, should have to manage a major incident or breach. Lastly, throughout all of the times I have been called to help in incident response, I have found the attacker behavior and tactics equally fascinating; often they know the defended network better than the defenders.

None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?

Long before my career in technology and cybersecurity began, one of my high school teachers — Mr. Lentz — took the time to write me a letter of recommendation. He went out on a limb to support me when I was not ready at all to go to college. He also made a comment that he could tell I was going to be important one day. I have always been thankful for that. Throughout my career, I have had many professionals who I have learned from. However, I believe that when you are young and still figuring things out is when you need help the most. I’ll always be thankful for Mr. Lentz.

Are you working on any exciting new projects now? How do you think that will help people?

My current role at Exabeam is a project in and of itself, but I also have my own podcast within the company titled, “The New CISO” which is 100% dedicated to the security community. For each episode, I get to sit down with chief information security officers (CISOs) to get their take on cybersecurity trends, what it takes to lead security teams and how things are changing in today’s world. The podcast was based on the idea that we need better guidance for newcomers in information security and focuses on the ideals of servant leadership. The best part of my week is when listeners reach out and thank us for themes we have covered on the show, or share their experiences.

What advice would you give to your colleagues to help them to thrive and not “burn out”?

The textbook answer to this question is typically balance, but it goes far beyond that. There has to be fulfillment. Employees have to believe that the organizations they work for care about them, most importantly the people above them. The best way to not burn out is to have a good boss. The saying, “people don’t leave companies, they leave bosses,” holds a lot of weight. Company leaders need to hold themselves accountable for whether or not employees are thriving and employees need to get better at ‘firing’ mediocre leadership.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?

There are certainly several different aspects to pick, but if I had to narrow it down to three:

  1. Cybersecurity — as a discipline and industry — is very new. Despite all of the money, flashiness and bravado, we are learning as we go along and struggling to mature along the way.
  2. We don’t have it all figured out. There is no unified definition of good which creates a lot of friction, activity and excitement.
  3. We are still discovering new ways to do the job. Security work is still primarily a manual process. The industry as a whole is going to continue to be transformed by automation technologies over the next few years.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?

For many, the biggest threat is themselves. Specifically, the threat facing security organizations today is practitioners’ and leaderships’ own ignorance on the gravity of a cyberattack. Unfortunately, security professionals don’t understand the consequences of an incident until they experience it firsthand and are overconfident in their ability to identify and respond. Organizations have had to hire people who don’t have any experience managing these devastating events.

Security professionals and other team members also have a tendency of underestimating themselves in the eyes of an adversary, specifically the worth of their brand, information they manage and their intellectual property. Employers don’t place enough emphasis on the value of their own data, and underestimate the value of their brand if it is stolen.

Yes, cyberthreats should be a concern for every organization, but ignorance, overconfidence and underestimation of value need to be addressed first.

Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

Many people make the mistake of believing that a breach begins when the adversary enters the network. In reality, the event begins when there are enough bad decisions made by leadership to allow the cyberattack to occur. Think about the shuttle disaster of 1986; it didn’t happen when the actual rocket ship exploded. The destruction was caused by a sort of organizational tolerance stacking which allowed failure.

According to the IEEE, the disaster was due to;

  1. Analysis of available information didn’t occur and evidence was reviewed and interpreted in a hostile light.
  2. They used incomplete data that didn’t represent actual conditions
  3. Engineers didn’t have large enough voice to raise concerns
  4. The chain of command was ignored and information didn’t make it to the right people

You can apply these four points to almost every breach on which I’ve counseled or managed.

Additionally, a breach will last much longer than when the adversary is removed from the environment.

Early in a breach I was working on, I got an instant message from up the chain in the company requesting for me to join a conference call. I now had seven minutes to prepare to speak with our 1,000 largest customers. I had exactly zero client management experience and I hadn’t slept in two days. The call was only supposed to be 90 minutes, but lasted around three to four hours. The call took place on day two of a breach, while I was simultaneously leading the company breach response.

Each of the companies affected by the breach on the call brought experts of their own to get more details and ask difficult questions. The call was also being recorded, so anything I said could be made public. Due to the nature of the breach, which involved nation-state actors, I was very limited in what I could say and could provide very little information.

One customer asked us, “Can you share the cyber kill chain of the attack?” Both of the executives remained silent. We could not just say no, because that would have been rude. We also could not divulge information because the government was involved. I spoke up and said, “By virtue of the fact you asked the question, I know you will appreciate my response. It would be imprudent to share details of the attack as events are still unfolding. When we have completed our work, we will share through approved channels.” I thought of this on the fly.

The lesson there is no matter what role you think you have during a breach, it will change. Furthermore, I got a message from the higher ups, and they said they wanted me on every one of these calls.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

A great place to start is to think about the credential, how it’s abused and how it can be better managed. Here are a couple of tools I would want every reader to use daily:

  1. Google authenticator — allows you to have multifactor and adaptive authentication to commonly used services like Gmail and Instagram
  2. Password vaulting programs like pwSafe for passwords and passphrases, which are critical when looking at the gravity of credential-based attacks

Users install an app on their phone and grant accounts like your email or even social media accounts to use the rolling key rather than a just username or password — anything that is username and password only can be stolen or reused. Adopting these techniques can greatly reduce your chances of an adversary gaining access to your login credentials.

How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter”software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?

In all cases there needs to be a security leader, even if it is just a shared position. Depending on the size and needs of the company, a virtual CISO is helpful to get an organization on its security feet.

One item to consider is to contract with someone to help you before a crisis, like a breach, occurs. This includes legal, communications, and incident response help — do this now.

Any singular control will fail, over the counter or not. Understand the limitations of your current investments but more importantly be honest on your ability to detect, disrupt, respond and recover. Much of this success goes beyond software and depends more on what you’ve built and how you’ve trained ahead of time.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?

Before you can act on signs, there must be an agreed upon and practiced method of information sharing and escalation. If an employee sees things that are strange, they should act on their training and share that information to the predefined resource, person, or team. Organizations need to remind employees to think beyond the technology and keep the following points in mind:

  1. Knowing the everyday employee will be targeted
  2. Knowing how these attacks start and that’s typically via email
  3. Knowing an action must occur; visiting a website or opening a link
  4. Knowing the goal is to get you to perform a function you don’t normally, and likely sign into a fake site

For a lay person, that is what you need to do. Know you are part of a problem, and a solution. Look for strange messages in your outbox as well. A compromised email account will likely send or forward email as you. Also look for forwarding rules. Set the expectation that if you send something weird, your colleagues should check in with you.

Emphasize the importance of picking up the phone and validating an email or other form of digital correspondence is legitimate before visiting a site or performing a business action. Lastly, know that employees are generally targeted — if you are an executive, assistant to an executive, systems administrator or have access to a crucial app you are likely at even greater risk. One of the most important pieces to the puzzle is being mindful of what you share publicly or activity that may lead you to be targeted.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

No matter the size of your organization, you should have a trained incident response team tasked with taking immediate action when incidents happen. Leadership should be pressuring this team to prove its relevance by asking good questions, participating, and providing cooperation to correct program deficiencies.

After a major incident occurs, the real judgement of the organization has more to do with the response to the breach than the breach itself. Always have a clear and transparent message to employees, customers, and the media.

I often share with executives that you don’t pay outside incident response organizations to throw the adversary out, you pay them to build a timeline so together you know how to throw the adversary out. The timeline tells you what the adversary touched, modified, and stole from the environment, the accounts compromised and tools used. This removal is known as a remediation event and is often quite technically disruptive.

When executive leadership has been briefed, call in your outside help, remember the authority provided to your internal response teams, and get ready to work like crazy.

How have recent privacy measures like The California Consumer Privacy Act (CCPA), CPRA GDPR and other related laws affected your business? How do you think they might affect business in general?

Overall, the U.S. is behind as it relates to national support for the privacy of consumers and citizens so it’s nice to see CCPA take shape.

In both examples, businesses must rethink how they approach data management and concepts like the right to be forgotten. Retrofitting existing data collection mechanisms can be costly and cumbersome; however, over time everyone will benefit from it.

One way we have been affected, specifically by GDPR, is the requirement to report a breach 72 hours after becoming aware of it. By virtue of our work in this space, Exabeam cuts down the time to scope and respond to these types of problems.

What are the most common data security and cybersecurity mistakes you have seen companies make?

As mentioned previously, the greatest mistake that organizations can make when it comes to data security and cybersecurity is believing that an attack will never happen to them. For most enterprises, it is not a question of if a cyberattack will happen, but when.

Next is to assume that spending all your resources on compliance will make you secure. There must be balance. Leadership must understand that compliance is often a tax placed on those who actually make a business secure. Want to find fewer bad things? Ask the team responsible for finding and responding to incidents to instead create a long list of compliance reports.

Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?

Companies are definitely grappling with the security fallout from the unexpected shift to remote work. Unfortunately, it is business as usual for cybercriminals and foreign adversaries who now have an unprecedented amount of opportunity. There has been an uptick in attempted cyberattacks, all while companies are experiencing staff reductions which can create additional ‘insider threat’ type problems. This serves as a harsh reminder of the security and financial challenges created by the pandemic. The only silver lining is this change has increased the adoption of security automation technologies and accelerated digital transformation initiatives.

Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)

The cost of security and privacy failures is under reported both in terms of cost and time to remediate. Big breaches can take years to clean up and settle in court. If I had to give an estimate, the reported cost can be doubled if all true costs are realized and the duration to clean up can be multiplied by three.

It’s not just about the adversary, it’s about the sale of your brand. This might sound silly, but while stock price isn’t often changed, it is more difficult to sell your product or service in the next three or four quarters. Form relationships with your sales leaders today. Sales leadership represents a great ally for support to add security features requested by customers and prospects. I’ve asked hundreds of CISO’s how many have a relationship with their sales team, two have said they do.

Understand that few adversaries break in, they log in. They compromise credentials and log in to most networks and applications. Furthermore, the burden on the defender to uncover if an account has been compromised is so great that most simply give up. Lastly, this has changed not only how breaches occur, but also the definition of insider threat as the outsider masquerades as an insider.

Never make introductions during a crisis. Perform executive table top exercises before a breach occurs to develop those lines of communication and form those relationships as soon as possible. I’ve helped several organizations that had a breach and their security officer had never met their CEO or board. Their heated introductions came in the midst of the crisis.

Finally, evaluate your security program based on the incidents you’ve had, not some audit workbook. Use observed failures to drive future work. The list of compliant but breached businesses is long, and this is precisely why.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)

My list of changes would be long and possibly controversial, but if I could change one thing it would be for everyone to focus more on what makes us the same as opposed to what makes us different. To truly understand that our differences are being used to push us apart when in fact we all, for the most part, want the same things. I had a health scare at 36 as a result of stress (from doing breach response of all things). My body decided to have a form of a stroke that infarcted part of my right kidney. From this I slowed down just a little and tried to appreciate things a little more, to mentor more and to help others more. The idea became ‘be nice and put someone else first’ — so that would be it. Try to help one person a day.

How can our readers further follow your work online?

For information on the current threats to the industry, best practices, company news and upcoming events at Exabeam, readers can read the Exabeam Information Security blog at https://www.exabeam.com/information-security-blog/.

To listen to the New CISO podcast, readers can either go to www.exabeam.com/podcast or listen to it wherever you listen to podcasts.q

We use cookies on our site to give you the best experience possible. By continuing to browse the site, you agree to this use. For more information on how we use cookies, see our Privacy Policy.