For all the talk of compliance, cloud-based machine learning, AI, blockchain widgets that marketer’s wave at us, never forget how important your people are. Even today, most attacks begin through phishing or social engineering. Guidance, good fundamentals, and communication is critical. One of my secret weapons is Yammer. Organizations that get people engaged in this platform can get information to people in a very simple, digestible and familiar format. It achieves way better engagement than emails and Intranet sites which may or may not be read. And you can run things like AMA’s for leaders to engage directly with the shop floor. Having a public discussion on a topic that’s available for all to see can also save a hundred service desk call, or get people thinking differently.
It has been said that the currency of the modern world is not gold, but information. If that is true, then nearly every business is storing financial information, emails, and other private information that can be invaluable to cybercriminals or other nefarious actors. What is every business required to do to protect its customers’ and clients’ private information?
As a part of our series about “Five Things Every Business Needs To Know About Storing and Protecting Their Customers’ Information”, I had the pleasure of interviewing Gavin Ashton, a world-recognized expert on cybersecurity measures and identity protection. He currently serves as a security strategist at Stealthbits, a cybersecurity software leader that protects sensitive data and credentials from attackers. Gavin is best known for his “Maersk, me & notPetya” blog, which he authored in the aftermath of being part of the restoration team that helped shipping giant Maersk recover from a vicious cyberattack in 2017. It has been hailed as a “must-read for anyone in charge of securing enterprise networks.” In addition to his work at Maersk leading identity and access management services, Gavin has served as an industry consultant designing integrated security solutions for a host of clients, including the Surrey and Sussex police forces. He also worked for XL Global Services and Nokia. Gavin and his wife Lisa have three young children. They live in the UK, raising their family and enjoying the Oxfordshire countryside.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I grew up in a very comfortable little town in the South of England. I’d ride my bike and play games with the other kids on our cul-de-sac. My older brothers imbued me with a love for the absurd through Monty Python and Spike Milligan. I learned how to speak by being made to recite stuff like the parrot sketch. On weekends we would visit family, which I thought was fantastic as my aunt had a VHS player and a copy of “Star Wars.” Around were plenty of places to go mountain biking, so that’s what I spent much of my teenage years doing. I carry a love of cycling (on and off-road) through to today.
Is there a particular story that inspired you to pursue your particular career path? We’d love to hear it.
My introduction to identity and security as a discipline came about when I joined a Police force in the UK very early in my career. I was there to “manage users” on their NT4 domain — joiners, movers, leavers, that kind of thing. Soon after, some people who had built this new “Active Directory” thing left shortly after it was delivered. I was now responsible for that, too. It was a baptism of fire and I loved it. I quickly got my hands around replication, Group Policy, domain controllers, SYSVOL and so on.
After a short time, with the amount of time feeding and watering the rest of the service, I decided that manually managing around 5,000 users was an inefficient use of time, prone to failure and so on. So I built my first identity and access management system through the usual mix of Excel, text files and VB scripts. A few short years later, I was operating Microsoft Identity Integration Server (MIIS) at an insurance firm in London.
So, when people ask what inspired me to pursue this career, I say that in some ways it chose me. Personality, what interests you shapes some of it. I believe that you make your own luck, and opportunities grasped are really what landed me where I am.
Can you share the most interesting story that happened to you since you began your career?
With the events of the Russian GRU notPetya cyberattack against in Ukraine in 2017, I found myself close to the center of the action at Maersk. After the initial impact, those were some very long months of recovery, rebuilding and strengthening of cyber strength and resilience.
The shipping and logistics industry, of which I was a part of at the time, generally focuses more on physical assets — the terminals, vessels and supporting infrastructure that keeps things moving. Data was not generally considered as vital as these physical assets. Over the past few years this has almost flipped, and today data is key differentiator. But at the time, we were still in that transition period and unfortunately notPetya was able to wipe out pretty much every single domain-joined system.
The story of the Maersk recovery has been recalled many times. Notably though Andy Greenberg’s great “Wired” article ‘The Untold Story of NotPetya’, by my former CISO Andy Powell in ‘Implementing the Lessons Learned From a Major Cyber Attack’, as well as through my own blog post ‘Maersk, me & notPetya’.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
There are a few managers who really instilled in me a sense of self-belief, despite an always-present sense of imposter syndrome. There are managers who placed a huge amount of trust in me, which was so empowering. I got some great things done in those roles. But there was one manager in an operational role, who taught me the value of consistency. When we leave gaps, what the impact of that can be. Any time I’m talking about controls today, I’m acutely aware of their diminished value if they’re not followed consistently. This could be in terms of how we build infrastructure, provision identities, or classify apps for conditional access. Without consistency we are flailing in the dark. What this actually reflects is the five principles of NIST; Identifying what we have, placing controls around those assets, detecting when those controls fail or are subverted, responding to those instances and then coming back stronger ready for next time. It’s all about consistency in our approach, and this has served me well so far. So, my approach to consistency was really born out of the experience of working under that manager and I can’t thank him enough.
Are you working on any exciting new projects now? How do you think that will help people?
I am working in a new role that Stealthbits was very kind to create for me as their Security Strategist. They have a brilliant set of capabilities, which I truly wish I’d had access to in previous roles. The exciting thing we’re doing now is looking at extending and integrating these into hybrid cloud workloads and helping organizations manage the types of threats and attacks that are becoming more and more prevalent.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
A few years ago I was invited to one of these boot camps where everybody participates in some activities and then gets told what kind of personality they have. It’s all relatively lighthearted and isn’t supposed to be taken too seriously, but it did offer some interesting insights.
What I discovered (or maybe better able to articulate something I already felt), is that we are all different and view the world through a unique lens. We’re each able to interpret situations and conversations in entirely different ways. What may seem extremely straightforward to one person, may seem incredibly challenging and complex to another. Not because people are obtuse, or idiots, or are somehow “no good.” We’re just different. What we must learn is how to manage and embrace those differences. In fact, those differences can and should be used to strengthen an organization. This is, to me, the core value of diversity. This leads to the one thing I learned in the notPetya recovery.
The world will continue to revolve without you. What’s more the greater degree of diversity that is left behind you may well help it to spin that bit more easily than if you have a team of identical looking people all looking at a problem from a similar perspective. But having a good team around you is one half; the other is taking account for your own balance.
Mind, body and soul are all equally important and where we neglect one, the others will also end up suffering for it too. It is on us as individuals to manage our time and split what little we have between all the things life throws at us. For the past couple of years I threw everything at my work and my family. My own learning, and my physical state, deteriorated. So for 2021, I’m setting a priority to achieving a better balance, with some stretch goals on the learning front.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. Privacy regulation and rights have been changing across the world in recent years. Nearly every business collects some financial information, emails, etc., about their clients and customers. For the benefit of our readers, can you help articulate what the legal requirements are for a business to protect its customers’ and clients’ private information?
I was involved in many conversations and plans around GDPR, and while it can appear a complex beast, it’s really a simple premise.
We should know how we store and process an individual’s data. If people ask how we store and process their personal information, we should be able to articulate that. If they want a copy of it or want to remove it, we should be able to provide that too.
Beyond the legal requirements, is there a prudent ‘best practice’? Should customer information be destroyed at a certain point?
The real change here is in organizations’ attitude to data. With or without a retention policy, data used to be harvested through whatever means and then either kept, archived or destroyed after a given period. Perhaps that would be on some temporal basis or during some migration or upgrade activity — so as a cost saving, perhaps.
With GDPR, how we store and process information includes what information we store. So we need to ask ourselves “do we really need data point x? Are we asking for more information than we strictly need?” A great example of this is WiFi networks that request all kinds of personal information before they let you connect. This is part of the reason why I carry a 4G WiFi dongle with me at all times.
Another aspect to GDPR is storage limitations. There is no hard limit assigned to different types of information, but it is expected that we can articulate how long we store different types of information for, and how it might be sanitized or anonymized. The GDPR law describes these things in more detail, but the fundamental premise is that we are in control of the data we store, and that we can demonstrate that.
In the face of this changing landscape, how has your data retention policy evolved over the years?
Since I started out in the Police, I guess that has helped my approach to treating data with care and respect; I have always been concerned with both insider and external threats to data integrity. But as much as the NIST five principles assist me in considering all the angles on a particular security control (tip: no control exists in isolation), GDPR helps me in articulating how we control the storage and processing of personal data.
Gone are the days when people should just be emailing spreadsheets stuffed full of personal information to each other. This happened once in a previous role, and one of the examples of building a support structure around yourself was this. Instead of sitting on that data fretting over whatever rules had just been broken, I called one of my contacts in infosec. I got the guidance I needed, shared that with the person who has shared it initially, and I posted the guidance to Yammer as a reminder to all.
It’s about learning, improving and helping those around you be informed and successful. Organizations that have a better response to GDPR subject requests, for example, are likely to receive greater trust from their customers. These days, customers value trust sometimes over and above any other perceived value.
Has any particular legislation related to data privacy, data retention or the like, affected you in recent years? Is there any new or pending legislation that has you worrying about the future?
The recent sunburst event has highlighted two aspects that may need some smaller or greater degree of legislation.
The first element is with regards to what companies do to protect themselves. It might not be likely to manifest in the form or legislation, but even some recognized (and adopted) standard, or perhaps doctrine of what needs to done at a basic level to protect from the kinds of attacks enabled when bad actors get hold of keys-to-the-kingdom level privileges. That would be so helpful. Many organizations do not have a good grasp of some fundamental aspects of IT security; worse, some are spending huge amounts on advanced controls that are almost worthless without those basics in place. These could be very direct and easy to understand principles like:
- “Require multi-factor (or hardware-backed certificated based) authentication when accessing Personally Identifiable Information”
- “Do not add service accounts to Global Admins or Domain Admins”
- “Do not add Global Admins to accounts synchronized from Active Directory”
- “Do not synchronize Domain Admin accounts to Azure AD.”
In your opinion have tools matured to help manage data retention practices? Are there any that you’d recommend?
The maturity of Azure Information Protection (AIP), Data Loss Prevention (DLP) and the integration of Microsoft Cloud App Security (MCAS) really provides a strong story compared to even a year ago, when you had separate controls between AIP and DLP, as well as confusing infrastructure considerations to make between the old client and the new unified client. With the move to the unified client, it now “just works” as you would expect it to. This makes it far easier to categorize data and place the controls around it.
There have been some recent well publicized cloud outages and major breaches. Have any of these tempered or affected the way you go about your operations or store information?
With regards to outages, these are not likely to result in fines, per se. What may lead to a fine is if data is compromised or potentially worse, leaked. To protect data requires a defense in depth approach. It is not enough to simply encrypt information and assume we are safe. We must protect the systems that store the data. Control privileged access. Ensure only the people who need access to the data can do so. We should require controls like MFA or certificate-based (smartcard, security token, Windows Hello) authentication for accessing more sensitive data. We need to be clear with how we are storing and processing data. Particularly where controls have been found to be lacking that fines can be expected.
With the major breaches we have seen over the past few years, in the case of Sunburst but others as well, we see attackers go for the keys to the kingdom. In the case of AD this would be a golden ticket attack, or with ADFS the token signing certificate. The latter is noteworthy not because it’s particularly new, but that the attacker used a common platform (Solarwinds Orion) to own ADFS without having to perform the usual lateral movement and privilege escalation paths from a compromised workstation. Orion gave the back door access. Since ADFS is used to handle web-based authentication to cloud-based services, this underlines the fact that where you rely solely on on-premises systems to protect data that resides both on-premises and in the cloud, you are entirely dependent upon the integrity of your on-premises environment to protect both. That is not the most secure position. I call this “blast zones,” whereby if one directory is lost, you only want that to impact that directory and assets protected by that directory. The guidance from Microsoft is also aligned to this now, where they explicitly recommend Azure AD SSO to protect Microsoft 365 services.
What you also see in the case of outages is a sudden proliferation of shadow IT. Solid contingency plans should be in place, well communicated, and even practiced. Without these, people quickly resort to alternative measures, such as social media services or public file sharing platforms to share information. So, a focus on business process, how data is managed through that process, and what fallback plans are for those processes are vital for the integrity of our customers’ personal information. Technologies such as MCAS are also critically important in the control of data leakage.
Ok, thank you for all of that. Now let’s talk about how to put all of these ideas into practice. Can you please share “Five Things Every Business Needs To Know In Order Properly Store and Protect Their Customers’ Information?” (Please share a story or example for each.)
People: For all the talk of compliance, cloud-based machine learning, AI, blockchain widgets that marketer’s wave at us, never forget how important your people are. Even today, most attacks begin through phishing or social engineering. Guidance, good fundamentals, and communication is critical. One of my secret weapons is Yammer. Organizations that get people engaged in this platform can get information to people in a very simple, digestible and familiar format. It achieves way better engagement than emails and Intranet sites which may or may not be read. And you can run things like AMA’s for leaders to engage directly with the shop floor. Having a public discussion on a topic that’s available for all to see can also save a hundred service desk call, or get people thinking differently.
Strengthen your core. Unless you have a strong core, you will see diminishing returns on the flashier features. These things are absolutely fundamental to protecting data and mitigating cyberattacks of the sort that result in huge numbers of systems being encrypted or masses of private data being posted publicly. Is Active Directory sound? Are you running current OS releases on domain controllers? Are your certificate templates up to date? Do you manage joiners, movers and leavers (JML) efficiently? Do you know who can control which systems? Do you apply the principle of least privilege? Do you ensure systems are up to date and supported? Do you prioritize delivery of security patches? Do you have malware-resistant backups with strong contingency plans? Do you practice those? Do you understand what your business-critical processes are and so on? A strong core will help in all kinds of ways from insider threats, to compliance, to GDPR
Modernize your approach. Don’t rely on outdated approaches or architectures to protect you, attackers have moved on and a firewall, AV agent and some variation of a password complexity policy is no longer enough. Enforce multi-factor authentication (MFA). Use stronger forms of MFA for admin accounts and executives. Push for passwordless. Get apps into a cloud-based identity provider like Azure AD with Conditional Access, which need to be verified every time a person accesses a resource. Modernize endpoint detection and response (EDR) and integrate it into some security orchestration automation and response (SOAR)/security operations center (SOC) function — actually respond to important events and activity across the environment. A pro tip: Don’t force users down a virtual private network (VPN), nobody but admins should be using those in 2021. Most people should be able to access everything they need entirely through cloud technologies without much if any need for on-premises technology from an end-user level.
Deploy the things. With your core sorted and approach modernized, now you can look to the fun stuff. Get a handle on data labelling and security policies that may apply automatic encryption and sharing restrictions. Look to deploying some form of cloud access security broker (CASB) solution like MCAS so you’re taking care of all those apps people are signing up to with their corporate credentials (shadow IT). Get a decent privileged access management (PAM) solution like Stealthbits sbPAM deployed and make sure you apply it consistently. Don’t provide options for people to build back the bad, old way through some backchannel like “Dave, who can still create objects in the Computers container.” Before you know it, there will be 5,000 servers in the Computers container and five in the PAM-managed OU.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
Learn to trust, collaborate and work together. Get out of your silo. Talk to more people across your organization. You’ll see how you fit into things. How people can help you. How you can help them. Competitiveness might help in sales teams, but otherwise treat it carefully, I’ve seen plenty of occasions where teams are too busy competing to focus on what actually matters — protecting our customers and ourselves from bad actors and delivering on our core values.
How can our readers further follow your work online?
Personal blog: https://gvnshtn.com
This was very inspiring and informative. Thank you so much for the time you spent with this interview!