Identify. You cannot secure what you do not know about. Inventory your network including both hardware and software. Perform regular vulnerability scanning to identify vulnerable systems, and prioritize their remediation based upon the severity of the vulnerability and the criticality of the system. Catalog and classify your data to identify where data exists and how users interact with it. Identify those users who possess elevated privileges and determine if those privileges are truly required.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Paul Caiazzo.
Avertium Senior Vice President of Security and Compliance Paul Caiazzo focuses on technology alliances and strategic initiatives guiding Avertium clients through challenging security problems. Paul also leads Avertium’s internal security and compliance initiatives and works to reduce risk across the organization and its customers. Paul has 23 years of experience, with an extensive background in the Federal government and financial sectors.
Paul was a co-founder and the CEO of TruShield Security Solutions, which was acquired by Sunstone Partners to become one of the founding companies of Avertium. Under Paul’s leadership, TruShield earned a distinguished reputation as one of the fastest growing companies in the cybersecurity industry.
Prior to TruShield, Paul focused on the Federal government’s cybersecurity needs in a variety of Department of Defense and civilian agency programs across a spectrum of critical missions. Paul credits his mission-focused background with giving him first-hand knowledge of not only how crippling cybersecurity issues can be, but also the perspective that good security supports the mission, be that through business objectives or government or military initiatives. This sparked his interest in building a career in which he could help clients not only understand the risks they face, but also to combat them with effective mitigation strategies.
Paul also serves as the cybersecurity advisor to the Science and Technology Policy Center for Development, where he utilizes his expertise to help the nonprofit achieve their goal of advancing ICT in developing countries.
Paul is a certified information system security professional (CISSP), a certified information systems auditor (CISA) and a certified ethical hacker (CEH).
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I was born in the Northern VA area, near Washington, DC, which during my early career developed into ‘Silicon Valley East’, with many technology companies becoming global leaders in my backyard. My father was a government employee who worked in information technology very early in the discipline’s creation and was one of the first information security leaders at the organization he worked for.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
I don’t know if there was one specific story, but rather a series of occurrences. After graduating college, I worked for a large defense contractor supporting some missions in the DoD, working on bases in the DC area, and was eventually given responsibility over the security architecture of a large program in a northern African nation dealing with terrorist organizations operating within their borders. That program instilled in me that cybersecurity needs to support the mission first and foremost, and that the work we do as cybersecurity professionals can indeed have life or death consequences. The aspect of good vs evil was attractive to me and within technology, I feel is unique to cybersecurity.
Can you share the most interesting story that happened to you since you began this fascinating career?
Some of the more interesting stories relate to incident response scenarios where consequences were dire. Without going into details I should probably not, one former customer used to continuously remind us ‘if we don’t get this right, planes fall out of the sky’.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
First and foremost, my family, who have supported me at every step of the way — I’d be nowhere without them.
From a professional standpoint, early in my infosec career, a program manager at the large defense contractor I mentioned previously gave me an opportunity to take over the security elements of that large northern Africa program, and I wouldn’t be where I am today without having grabbed that opportunity with both hands and ran with it. I’ve stayed in touch with him and am very appreciative for being given the chance to show what I could do.
Are you working on any exciting new projects now? How do you think that will help people?
The great thing about cybersecurity — and also one of the big challenges — is the rate of change. There is a continuous stream of new technologies and solutions, some great and other less so. My role at Avertium includes identifying those solutions which are most well-aligned with the problems our customers are trying to solve and enabling a business outcome around them. It’s exciting to see those ideas develop into services that our customers take advantage of.
Some of the key things we are working on right now revolve around zero trust architectures, which I think nearly all companies can benefit from, but many don’t understand how to begin the journey. We are working to solve that problem.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
Be passionate and intellectually curious about this career. The most successful are those who read the newest research, keep up with developments and continuously learn. I find I don’t get burnt out if I’m learning something new, it’s when you fall into a rut or routine that things get boring for me.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
There is a lot about my job that I love. Cybersecurity professionals are challenged with new and complex problems to solve every day, and often have to be very creative to do so. As a creative person who enjoys playing musical instruments as much as I enjoy tinkering on old cars, I find that my work seems to scratch those same itches. Being empowered to think laterally around a problem is stimulating and keeps me interested in staying abreast of new developments in both what the bad guys are doing as well as what we good guys have to do to stop them.
The concept of good vs evil is another component of why I love what I do. There are nefarious actors out there who have no regard for the impact or consequence of the attacks they perpetrate. The perfect example of this was the recent campaigns made public in FBI and HHS disclosures that sophisticated ransomware threat actors were specifically targeting US-based healthcare organizations for ransom. I cannot fathom how any human — in the middle of a pandemic — can shut down a healthcare provider and jeopardize the lives of who knows how many people. Ransomware targeting medical devices and medical facilities has long been a waking nightmare I’ve worried about, and that campaign really drove it home. We helped multiple large healthcare providers through that and I can tell you with certainty, many people were unable to be treated while systems were inoperable.
Stopping that kind of activity is of critical importance, so when those crises hit, I find that I and my teammates unlock that extra bit of energy needed to work the sleepless nights until the problem is resolved. Beating the bad guys can be a rush.
What’s more important than scoring a win against the bad guys, though, is being there for a customer on what might be the worst day of their professional career. I’ve been in many incidents where customers are panicked or just don’t have any idea what steps to take because they’ve simply never encountered that situation before. Being a calming force that can guide the customer team through the right steps to get back to operations quickly and securely is gratifying, and some of my best customer relationships were born through serious incidents.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
There is never a shortage of threats for the world to deal with. The bad guys are crafty and increasingly well-resourced, and it is no trivial effort to keep the continuous attacks at bay. The threat that most keeps me up at night is the proliferation of ransomware, and specifically the ransomware-as-a-service economy that has grown up as a hyper-profitable business model that divides the responsibilities and proceeds of a ransom attack across a broad group of specialists.
Access to the RaaS community requires proof of expertise, usually in the form of pre-existing illicit access to a victim. Most of the RaaS operators have names you may have seen in the news recently — REvil, Sodinikibi, NetWalker, EvilCorp, Ryuk, etc — and nearly all of these also have the particularly telling requirement of affiliates being Russian-speaking, indicating at best lax enforcement of law, and at worst actual state sponsorship of the crime organizations themselves.
The RaaS groups are highly effective and are now learning that ‘double extortion’ is the best means to monetization of illicit access. In a double extortion scenario, the threat actor not only encrypts the victim’s systems to disrupt or halt operations as a means of leverage, but first purloins sensitive or regulated data like PII as a further means of leverage. The victim organization has the choice of paying the ransom or having the sensitive data leaked.
We’ve helped many customers through crippling ransomware attacks recently, and they seem to be increasing in frequency more so than decreasing.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
One of the more challenging recent examples was a ransomware attack perpetrated by one of the RaaS groups I named previously — NetWalker.
In this case, the threat actor had gained access to the environment over a month before the actual ransomware attack, and had used that time to great effect, staging terabytes of data for exfiltration and propagating malware to every corner of the environment through compromised domain administrator privileges that allow them to utilize Group Policy Objects and PowerShell scripts appearing legitimate to the untrained or unwatchful eye.
Unfortunately, this organizations protection and detection platforms were either expired or incompletely deployed, and no alarms were triggered throughout the course of the threat actor’s chain of attack. When we were called in, nearly every system in the environment had been encrypted, including the backup servers. A lengthy recovery process began in earnest, with a parallel root cause analysis/forensic investigation.
Throughout the course of our investigation, we were able to pinpoint the point of entry and the threat actor associated with the attack, even as far as identifying the individual underground forum users who had gained the initial access and then sold it to the RaaS group. This information was shared with law enforcement to aid their ongoing investigation into the threat actors.
What we found in terms of root cause is unfortunately all too common in our work — the victim organization had an unpatched vulnerability in their externally-facing VPN server which was easy to exploit. The vulnerability had been patchable for nearly a full year, and was a serious issue which when exploited, allowed the attacker to scrape all credentials utilized for VPN connectivity during the window of attack. As we all know, the majority of the world’s knowledge workers are working from home and utilizing a VPN, so nearly all of the victim’s credentials were stolen, and then used illegitimately to perform the remainder of the attack, which we classified as a complete network compromise.
We ultimately had to rebuild the organization’s IT infrastructure from the ground up. Timely patching would have negated this entire attack.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
We utilize a very wide variety of tools in our day to day security work, and for Avertium, the focus isn’t so much on the product but rather the discipline which underpins it. For instance, our approach to Extended Detection and Response (XDR) centers around Security Information and Event Management (SIEM), Endpoint Detection and Response (EDR), Vulnerability Management, and Zero Trust Networking.
At the surface, each of these acronyms can describe a product, but if you inspect deeper, you’ll discover that the tactics, techniques and procedures we use to protect our customers using SIEM, EDR, VM and ZTN constitute disciplines unto themselves. It is relatively easy to put a technically astute individual through a product training, learning what buttons to click and so forth, but to us, that sort of misses the mark.
We prefer to train our analysts and engineers on the critical thinking needed to parlay an analyst workflow to multiple different product platforms, EDR as an example. Understanding what to look for in an event log or process tree is much more valuable a skill than knowing which buttons to press in a given product to present that log or process tree for analysis.
Of course, some tools are better than others for a given task, and part of my role at Avertium is to identify those technical alliances which best align with our customer’s desired outcomes.
SIEM tools are designed to aggregate log and metadata to allow for the correlation of events across multiple data sources. The idea is that that correlation, especially when mashed against threat intelligence, helps an analyst identify an attack chain. With proper tuning and constant vigilance, they can be very effective, but again, the analyst’s investigative process is the lynchpin, not the tool.
EDR tools are designed to provide defensive measures against sophisticated attacks using behavioral analysis moreso than a traditional anti-virus tool’s signature matching. The idea there is that it is trivial for an attacker to slightly modify a file such that the signatures no longer match the detection profile, but it is much more difficult for the attacker to modify the processes or behaviors which manifest in the course of an attack. By focusing on things like spawned processes, libraries called, registry entries viewed or modified, etc, an EDR tool can be instrumental in identifying an attack which would sail past traditional AV. Additionally, an EDR tool gives the incident responder a wealth of tooling to support live forensics, and the ability to quarantine or isolate a compromised device.
Vulnerability management tools identify the unpatched softwares and other misconfigurations which may exist within an environment. The security adage that you cannot protect that which you do not know about applies here. It is critical to identify and timely remediate vulnerabilities within an environment, because the majority of the world’s data breaches, and certainly the current crop of ransomware exploits known and patchable vulnerabilities which unfortunately the world is simply not addressing fast enough.
Zero trust networking is a conversation unto itself, but at its core is a strategy which states that the system will trust no one unless they are proven to be trustworthy, and even then will only present those data or resources for which that individual has a need to know. There are a variety of strategies to accomplish and if at its surface it sounds like common sense, it is. Implementing it is more complex than one might think.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
This crux of this question hits at one of the foundations of building a security strategy — Risk Governance. Any decision regarding the security of an organization must be founded upon that organization’s risk tolerance — what types, and how much risk that organization is willing to accept.
For example, an organization that hosts a public website and publishes material meant to be consumed by the public at large may not view confidentiality as a key concern, as the information they present is meant to be public. They concordantly would view confidentiality risk tolerance as relatively high — that is, they can accept a certain amount of confidentiality risk.
On the other hand, a healthcare organization that processes a large volume of Private Health Information (PHI) would have a vew different view of the amount of confidentiality risk they can accept.
Performing this introspective analysis of one’s risk appetite is informative to the decisions around the controls which are chosen, and should also inform the organization on decisions regarding their ability to manage risk down to their acceptable level using only internal resources. Very often, an outside expert can cut to the core of an organization’s security problems much more quickly than an internal team not necessarily comprised of security experts.
Simply put, we’ve seen so many different organizations across the maturity landscape that we can guide a customer around common pitfalls companies often fall into without the benefit of experience. It might seem costly to bring in a consultant or a Virtual CISO, but it can be much more costly to make a few easy mistakes, suffer a breach, and then have to bring in the outside consultant anyway. My guidance would be that any organization can benefit from a Virtual CISO, most especially those in any regulated industry, or those companies that process sensitive information like PII or PHI.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
It is certainly true that a data breach can happen to anyone, even the well-prepared. The reason for this is that the bad guys only need to get it right once, whereas the good guys have to continuously bowl the perfect game. Obviously, that isn’t possible, which is why the concept of defense in depth exists.
A critical thing all organizations need to do is make sure their entire employee population has been trained on security awareness. Each employee in the organization has a role to play in protecting that organization, and each needs to understand that role.
The most critical thing a layperson should look out for are phishing emails and other social engineering attacks that are being used to deliver malware to unsuspecting users. These are no longer the sole domain of the ‘Nigerian Prince’ scam, but usually leveraging current events like the COVID-19 pandemic to trick users into opening the email, clicking links, and downloading attachments.
The other key thing that users need to know is that when they observe suspicious emails like those described, they need to raise the red flag. They shouldn’t forward the email around the organization, but the IT department needs to be made aware, and may request the email be forwarded to them for analysis. The IT team should then be trained on notification to the user population of the phishing attack and the things users should look out for to protect themselves.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
Whenever we get a call from a new customer who has just experienced their first data breach, the first question I ask is ‘Have you engaged outside counsel?’. It is critical that the decisions made in the hours and days after discovering a breach are guided by qualified attorneys who have managed cybersecurity incidents involving data breaches, as the breach notification requirements a given company may be subject to by law can be complex and varied depending upon the jurisdiction and the type of data exposed.
The second thing the organization should be thinking about is calling in an expert, and not spoiling evidence. A forensics investigator is going to need access to as much forensic data as possible to reconstruct the chain of attack, and actions which may seem prudent, like restarting systems, or immediately moving to restoring from backup, or even resetting passwords, may have the opposite of the intended effect.
For instance, an organization that has suffered a domain compromise may seek to reset domain administrator passwords quickly, but depending upon the nature of the attack, may not actually evict the threat actor’s access, and could also give the attacker notice that you are aware of their activities, accelerating any ongoing actions the actor may be perpetrating.
Also, I often ask an audience for a show of hands on who would be willing to communicate with a ransomware threat actor and negotiate a ransom and very rarely have more than a few people raise their hands. The reality of the situation is that in a serious incident, you almost always have to, especially with the proliferation of the ‘double extortion’ attacks I mentioned earlier. It is incumbent on an organization to determine if data was stolen, and when systems are crippled, the threat actor may be the only source able to tell you what was stolen, which they will do via screenshots of exfiltrated files or directories referred to as ‘proof of life’.
For a company like ours, new regulations such as CCPA represent new opportunity. So many organizations simply don’t know where to begin with the newest set of privacy laws that they have to turn to outside assistance, which we’re able to provide.
We’ve seen a large uptick in our privacy practice and have developed a few solutions to aid customers in understanding their potential exposure to compliance risks associated with each of these regulations.
In terms of other impacts to our business, since we provide 24/7/365 monitoring for security incidents to a wide variety of customers around the world, we’ve had to prove our compliance with these regulations as it relates to the type of data we process. In the normal course of business, most types of PII never touch our systems, but since we do utilize metadata like IP Addresses, geo-location, user profiles and behaviors as indicators of attack, we’ve had to carefully plan and implement the protection of that data and work with customers to ensure that they’ve written into their own internal security policies the explicit right to monitor activity on the corporate network.
What are the most common data security and cybersecurity mistakes you have seen companies make?
The most common mistake I see is the ‘I’m not a target’ misconception, which can also come across as ‘I’ve never had a breach before, so I don’t need to worry about that’. Smaller companies or those without a significant public profile may feel like they aren’t worth an attacker’s time and that none of the sophisticated threat actors are out to get them specifically, or they may feel that because they’ve never been breached before (as far as they know), they must be secure.
The reality of the situation is that even if you are right that you are not being specifically targeted, it simply is immaterial to the discussion. Opportunistic attackers will blast a very large email list with malware-laced phishing attacks, and it only takes one user accidentally falling prey to such an attack to result in a very bad day for that organization. They weren’t specifically targeted, but the net effect was the same.
Similarly, the statistics prove that an organization may not know they’ve been breached for months after the attack, and are often only informed by law enforcement who may discover artifacts of a breach in the course of an otherwise unrelated investigation. Putting blinders on to the risks involved in failing to proactively protect yourself is dangerous.
On a more technical level, very commonly we see breaches as the result of an attacker’s ability to exploit a vulnerability for which a patch exists, and has often existed for a significant amount of time. The mistake here is that the organization has failed to implement critical security patches in a timely manner, and every day those vulnerable systems sit within an environment unpatched is a day of continuing to roll the dice on a data breach. I don’t like those odds.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
The uptick in attacks we’ve seen since the pandemic began and the world’s knowledge workers have shifted to work from home has been unprecedented. Phishing scams increased by several orders of magnitude, and we’ve responded to several breaches which may have been avoided if either staff were still in the office, or if the victim organization had shifted to work from home more securely.
That really is the error we’ve seen — hasty shifts to work-from-home without thinking through the full security implications and protecting one’s self against the likeliest risks. The biggest issue we’ve seen relates to virtual private networks (VPNs), which are used to securely connect a remote user to a corporate network. Most organizations quickly adopted what is known as a split-tunnel VPN, which routes corporate traffic directly to the corporate network, but other Internet-bound traffic directly to the Internet.
The problem this creates is that all of the security controls built into the corporate network (firewalls, intrusion detection systems and the like) are completely circumvented by dumping the traffic straight to the Internet. Bad guys aware of this flaw exploit it to great effect. A user on a split-tunnel VPN who accidentally browses a compromised website, or clicks a phishing link in their Gmail account, invites an attacker onto a system which now has access to the corporate network over that VPN connection. We’ve seen very successful ransomware attacks orchestrated in this manner. Our recommended solution is a Software Defined Perimeter approach adopting the core tenets of zero trust networking, which aids greatly in protecting sensitive data and containing threats which may impact individual systems.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
Security platforms are complex, and systems break down. Expect the best, but plan for the worst by adopting a program-oriented approach centered around five key disciplines, all which work in concert to protect an organization and all of which represent a continuum of controls which must be implemented and integrated to adequately protect against threats.
You cannot secure what you do not know about. Inventory your network including both hardware and software. Perform regular vulnerability scanning to identify vulnerable systems, and prioritize their remediation based upon the severity of the vulnerability and the criticality of the system. Catalog and classify your data to identify where data exists and how users interact with it. Identify those users who possess elevated privileges and determine if those privileges are truly required.
Prevent security incidents wherever you can by patching vulnerabilities discovered during the Identify phase as quickly as possible. Implement security controls such as firewalls and endpoint protection to ensure that your attack surface is minimized and that each potential point of attacker entry has advanced protection safeguarding it. Ensure those controls receive updated signatures regularly and keep pace of attack trends by being informed through reading of security publications and researcher blogs.
Know that you cannot prevent all attacks, and therefore must be able to detect those which slip past your defenses. Enable successful detection strategies by integrating monitoring platforms together. Feed your Intrusion Detection System, Firewall, Endpoint Detection and Response, threat intelligence, and operating system event log information into a SIEM, and then tailor correlation rules to the threats you are most likely to encounter. Tune and optimize your SIEM over time, and wherever possible, seek to align with a framework like Mitre ATT&CK to more effectively detect the actions a threat actor is likely to execute in the course of an attack.
Once you’ve detected a security incident, you must be able to rapidly respond. Build muscle memory in response by documenting and testing an incident response plan. Keep it up to date with roles and responsibilities, and perform tabletop exercises at least once a year, preferably more frequently. If possible, utilize automation available in your security tooling to immediately respond to common threats affecting endpoints. Engage a third party incident response organization in an Emergency Response Retainer so they are ready to parachute in should an incident occur that you cannot handle yourself.
Be ready to recover systems to known good operational state in the event you experience a serious incident like ransomware. Perform regular backups of key systems and, critically, test the restore operations frequently as restoration from backup is not always successful. Document a disaster recovery plan and perform at least an annual test of it with activities like failing over to secondary processing systems.
The above is a lot to digest, but successful security programs are built by starting with the end in mind. A pragmatic approach starts by identifying where an organization has pre-existing maturity within each of these domains, then roadmaps a plan to a target state that can be achieved over time. Security is a journey, the first step is to understand where you are starting from and where you are trying to get.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
Be curious, be skeptical and be vigilant. If you are interested in cybersecurity there is a huge wealth of information available to you through articles in security publications, researcher blogs, and freely available training. Even if you aren’t interested in security, healthy skepticism and critical thought are vital to protecting yourself and your organization from harm. Being vigilant in our daily lives translates directly to being better prepared to handle an attack when it inevitably comes.
How can our readers further follow your work online?
This was very inspiring and informative. Thank you so much for the time you spent with this interview!
My pleasure, thank you!