Log4Shell for the Holidays – Dr. Richard Ford

[01:13] There’s No Trust in the Industry

Rachael: We’ve got Dr. Richard Ford. He’s the chief technology officer, a Praetorian, and it’due south his 3rd time on the podcast.

Eric: Episode 10 in November of 2018, that was on Rethinking Digital Trust. Then Episode 38, The Time to come of Trust in July of 2019. We’re talking virtually a peachy topic today where there’s no trust in the industry.

Rachael: Why has it been so long, Richard? Did we lose your number? Did you lose our number? What happened? Have you lot only been busy?

Richard: It has been a bit busy, but as well time is doing strange things in this twenty-four hours soup that we live in. I’g a piddling flake dislocated about whether it’south Christmas or Easter right now.

Rachael: Information technology sure is, but I’m glad you’re back. We’re glad to talk to you lot because this is the highlight of my month right here. I could think of a amend fashion to end information technology.

Eric: Nosotros’re going to get this out pretty speedily, and then our listeners can larn nigh it while we’re in the midst of the problem.

Rachael: The big topic, as we were talking about, is what Dr. Richard Ford wrote. He’s written a dark reading byline article and numerous blog posts and other things on this topic.

Eric: Patents, y’all name information technology.

Rachael: Patents, information technology’s 45, 60, I don’t know, a lot of patents and all the things. But he is going to help us interruption down Log4j aka Log4Shell and all the goodness that comes with that.

Log4Shell Is a Big Creature

Rachael: This is a large brute. We talk about beasts in insecurity, merely this is a big beast of a zero-day consequence.

Richard: Probably the worst in my career, certainly the worst in the last 10 years or so, it’southward pretty bad.

Eric: Why do you say that?

Richard: Y’all don’t need admission through the machine. You can do information technology remotely with no account. Information technology’s a unproblematic text-based set on, and so you don’t need to be a rocket scientist to make it exercise anything. It’southward non similar I take to defeat H.G. Adler, just thought I’d throw that in there for you. It isn’t like I accept to defeat some terribly esoteric defence force. Literally, we have reports of people renaming their phone to a specific string. So you don’t demand access. Information technology’southward a fairly simple cord-based attack.

Once you understand information technology, information technology’s pretty easy to make it go. The worst of it is that you tin can scan for information technology and it’south hard to scan for it reliably remotely. That just makes everything more difficult. There’s only one manner to know for certain that you’re safe. That’southward to look at your actual source code to practise a software bill of materials. Then make sure you don’t have a vulnerable version of Log4j anywhere in your ecosystem.

Eric: If you’re a vendor, you lot can do that because you lot own the source code. Only if yous are a consumer of products, whether consumer-grade or enterprise-form, y’all, evidently, don’t take access to the source code. So the best you can practice is look at every vendor you deal with. I’m a Mac user.

A Service Side Problem

Eric: If you lot’re running a Mac, yous’ve got to literally become to Microsoft and understand the Microsoft platform, Adobe for the PDFs and all the tools y’all’re using. Ensure that the vendor has either updated you; well, starting time created an update and then automatically updated you. Or you’ve got to update your software to protect yourself.

Richard: Mostly off-white. So this is much more than of a service-side trouble than a customer-side problem. There are some examples of things that run locally that potentially are vulnerable. But the ones that we’re scared about are the ones that are in the deject. Those ones right at present that are the most at risk, those are the ones that are almost targetable.

Eric: Because they’re accessible?

Richard: Because they’re accessible, and considering typically an endpoint isn’t usually using something like Log4j, which is a logging component. This is much more of an enterprise software, enterprise server. Then like VMware Horizon, or recollect near all those SaaS products that are hanging out in the cloud. Simply it’s not to say that at that place aren’t things in your house that could potentially be vulnerable.

I think about embedded systems, some smart televisions, some of the smart homes. Merely the real big adventure is all that enterprise SaaS stuff. Even in that location, you lot’d say it’s easy for the vendor. The vendors can expect at the source code. A lot of times, even pretty good vendors aren’t aware of everything that’s in the cloud. Then ane of the big challenges that we have is there’s a statistic about 30% of your IT assets you’re not aware of.

A Vulnerable Version of Log4Shell

Richard: 95% of all docker containers have a life bridge of less than a week. It’southward such a moving target that fifty-fifty for a pretty practiced defender, it’s difficult to know where all your stuff is.

Eric: Peculiarly if the deject-accessible systems are vulnerable.

Richard: This is one of the nasty things about this, remember I said, information technology was a string. I just have to go a special string into a vulnerable server. That doesn’t mean I accept to connect to that server. I could connect to the web server or the web server could push that affair through Kafka. Kafka could pick it up in some other backend server, and if anything, anywhere in that whole chain uses Log4j, a vulnerable version of Log4j for logging, I’m about to own your infrastructure.

So information technology’south not just the forepart end, information technology’s all the different places this goes. There’southward a slice of messaging that I want to go out considering people don’t understand this. There are all these scanners that people have put out for Log4j. None of them are super reliable. A lot of them just change one header in the HTTP request, and if you lot don’t become a pingback, y’all become, “Oh, you don’t accept Log4j. You don’t take Log4Shell vulnerability.” That’southward non true.

Nosotros’ve seen examples now scanning, where we’ll send the exploit. 12 hours after, we get a pingback because there was a batch task that picked up this log and imported information technology into elastic. Then, information technology got exported from elastic into some overlap system and bam, that system was vulnerable, and we got that one. We didn’t become the front-terminate system. Nosotros got it much afterwards. It’s crazy.

[08:41] Log4Shell, Colonial Pipeline, and Ransomware

Eric: Simply to baseline rapidly for our listeners, this is a Coffee logging library that’due south unremarkably used.

Richard: It’due south ubiquitous in the Java world, and information technology’s a good library. I’ve used it. That’due south the definition of mutual because I don’t write much Java. If I’ve used it, it must be pretty mutual.

Eric: Rachael, you lot’re director of communications. Yous deal with The Wall Street Journal, The Washington Post, you deal with all the publications out there. All the periodicals, you deal with the news, everybody all the time. I consider you an expert in this topic. Is there more than written about Log4j, Log4Shell, or Colonial Pipeline and Ransomware? Based on your expertise and opinion, what’due south out there? What does the mutual person know more about?

Rachael: Honestly, the Colonial Pipeline because everybody understands being without gas.

Eric: Which one would you say is more than normally understood and known?

Rachael: Versus Log4j?

Eric: Yeah.

Rachael: Everything. Unless you’re in the industry or really following information technology, you lot wouldn’t necessarily exist poking on Log4j like you would the others. Every bit a consumer, you can understand information technology in terms of broad-based interest in being able to grasp a concept. We can grasp the concept of not having gas, but with a lot of things, these zero to vulnerabilities until it impacts y’all personally. Y’all have a hard time wrapping your head around it in terms of a more broad-based audience.

If my iPhone, or if I was playing Minecraft and suddenly stopped working for me considering of Log4j, as a layperson, I would understand information technology better. Only when you read this stuff, sometimes it feels dumbo.

Dealing With Log4Shell Forever

Eric: Yep, or just and so distant from something I command or deal with. I’m going to switch back to our skilful hither, Dr. Richard Ford. Dr. Ford, which one do you lot remember has a more serious potential result from demolition or espionage or theft of data?

Richard: We’ll exist dealing with this Log4j, Log4Shell forever because it’s very deep in people’s clouds. It’s not even necessarily exposed on the front cease. And then my prediction is that this is one of these phones that will hang around for quite a long time. We’ll notice it in interesting and subtle places. I was shocked at, actually, how little coverage it got.

Eric: I always practice.

Richard: Nosotros stood upward in a war room once we figured this thing out. And so Praetorian, we do a lot of offensive penetration testing work in the commercial world. We exercise security assessments, blood-red teaming, that whole gamut of very high-end bespoke services. What we did is we weaponized this thing in a couple of hours, in one case it was appear. We’re like, “Oh, my. Good Lord, this thing is awful.” Then, we started working with our customers. I got to brag about this because it was a beautiful matter. We, for costless, started scanning our customer’s ecosystems.

Because when exercise y’all need friends? It’s when you’re in the trenches. This isn’t the time to go, “Okay. Stroke me a check for Ten, and let’s do information technology.” The team buckled downward over the weekend and lived on pizza and Mount Dew, just banging out Log4j scans. The number of people that nosotros got would cause you physical pain.

Comparing Log4Shell to Ransomware

Eric: Right, and that’s why we’re doing this testify. Because I don’t retrieve people understand, and comparing Log4j, Log4Shell to Ransomware is probably non a expert comparing. Merely maybe comparing it to Eternal Blow, the tool set or something. It has a better likelihood of damaging or creating damage, negative consequences.

Richard: Log4Shell potentially gives y’all an access, and and so it remains to exist seen what’s done with access.

Eric: But once you have access, you have a lot of options.

Richard: Yous exercise take a lot of options. But if you’re a bad guy, when something similar Log4Shell comes out, what do you do? You lot don’t option one person and exercise something horrible to them, because you know that information technology’s like this Cyber Monday of vulnerabilities. You’d want to get in there quickly earlier Tuesday hits and all those discounts get away. And so yous compromise every bit many people every bit you possibly tin. Y’all go resident and maybe I’ll come dorsum and do something bad to you later. That’s my fright.

Eric: You proceeds entrance on a wide calibration. Then you kick back and retrieve about, “At present, how practise I triage and what do I need to do?”

Richard: Or, “How do I make the virtually money, or how exercise I exert the most force?”

Eric: If yous’re on the adept guy, good people side, you’re a white hat hacker. You’re an IT defender, InfoSec professional person, whatever, what’southward your recommendation? What do you do? I’ve got all these systems, I don’t even know about 30% of them based on your data, which I would hold with. Some places are a lot worse than 30%, what practise you lot do?

An Aggressor Axial View

Eric: What should we do, and what practise nosotros do? They’re different answers. First of all, the time to figure this stuff out isn’t when it’south raining cats. In that location are things that y’all should be doing on those sunny days when the sky isn’t falling.

Richard: We should pivot and talk about that at some point in our time together. Why do yous deal with this specific vulnerability? You do the best you tin. And so you take an attacker-centric view because y’all know what the aggressor’due south playbook is going to be. You lot brand certain that none of your assets are trivially vulnerable for that attacker-centric playbook. Then you employ the scanners that are out there and yous make certain those things blocked equally triage.

So you can delve downward deeper into your organization. If yous develop your own software and you’ve got good asset inventory, and so the but real style to deal with this is to patch or to get onto a patched version. Of course, that was a bit of a mess, because there were a few different patches that came out from Apache Software Foundation. We finally got, I think 217 is the electric current. That appears to have solved this result. 216 and 215 had bug that were yet exploitable.

Eric: The vendor community is going to exist working on this for a while. But if you lot’re in the InfoSec globe, yous’re going to be patching your systems for a while?

Richard: So allow’s not give the manufacture a D-. I’d say it’south more of a B-.

Eric: I totally disagree, but we’ll go with you because yous’re the doctor.

Trying to Be the Expert Folks

Richard: Nosotros did see a pretty swift response from quite a few vendors moving to the newer version. I know a lot of folks who worked that weekend trying to protect their customers, not only us. Nosotros were out in that location trying to be the good folks, but all those people who had vulnerable services were trying to get a patch through and test information technology and into production for customers. It was a real fire drill.

The place where nosotros didn’t do so well as an industry is, we’ve been the clearest about communicating the limitations of some of the medications. Or the limitations of the scanners that people have been putting out there. And the just existent way to be certain is to only get rid of this exploitable version from all of your boxes. But let it go.

Eric: Which is difficult. If I’m a CEO or a board member, Rachael and I are on the board of visitor Ten. We’re going into the holidays here. We want to kick back and relax. We’re tired. Do we know that our system, our company is okay, and everything’s going to be good going into the holidays? What are nosotros being told?

Richard: You accept to take a more hazard management approach, probably a risk anything.

Eric: Which we’re great at, in this industry. Risk and prioritization of assets and data, we’re and then good at.

Richard: We’re number one, totally. Only you accept to view this from a adventure management standpoint. You take to do some frontwards planning, you lot have to figure out what your set on surface is. That’southward a real trouble for many companies.

[17:10] Shocking merely Not Surprising

Richard: Again, that’s a, “Don’t do information technology when information technology’southward raining,” sort of mean solar day. It is inexcusable. It’s shocking, only non surprising that nosotros’re and then bad at drinking our assets as an industry. I was looking at my home router, and I’m like, “Why practice I take 12 devices on my home router?” Later on a little flake of dorsum and forth with my married woman and so actually after scanning the 2 devices, I couldn’t figure out. I could business relationship for the 12 devices and that’due south in my home.

Eric: I’ve got 39.

Richard: But yous know what I hateful. Why practice I have that speaker? That matter’s on the wifi, I judge it should be talking to my RAM. Now, imagine in the cloud where anybody with a credit card can spin something upward and put information technology into your environment. Information technology’south pretty bad. I of the big takeaways from this is yous need to know where your stuff is. There are tools that do that. Attack surface direction, that’s something that we exercise and something I’k keen on. But I’m non keen on it because we do it; nosotros exercise it considering it helps customers.

Eric: Because we should do it. I want to become back to Rachael, the board member. What question are y’all going to ask of Dr. Richard Ford? You’re head of It going into the holidays to know if you have a trouble or not here?

Rachael: As a board member, I gauge, wearing my hat where I read a lot of news coverage is. We’re vulnerable during the holidays when people are out of the role. That makes u.s.a. a prime candidate to exist further attacked.

On Height of Log4Shell

Rachael: On meridian of Log4j, what else should we be worrying well-nigh during this time off with people away from the office?

Richard: It’s actually interesting, Miss board member. In some means, the tech’s job is harder when people are out of the office considering how am I primarily getting it if I’m an assaulter? It’s primarily fishing. Some of the state of war stories I could tell y’all from Praetorian, we have a very high success rate with phishing, and if yous have MFA.

Eric: You’re red teaming an organization. That’s the easiest way to get it. The adversaries have proven that from the data that phishing is highly successful over the years.

Richard: Extremely. Just a lot of people in the industry think that considering they have multi-factor authentication, they’re condom and they’re not. Once I’thou in your browser, I’ve got your MFA at that point, generally, because I can either steal your session tokens. There’southward all kinds of things I tin can do. Once I am into your browser, I am you.

Then with people out for the holidays, in some means, information technology makes the chore of the attack hard. Nobody’due south clicking on those phishing emails. Simply in terms of managing your infrastructure, there’s a couple of takeaways, actually. So the hackers have holidays too, that’s a definite truth.

Eric: That’south to our benefit.

Richard: That’s sort of to our benefit. Merely a lot of the people we desire about at the nation’south state-level have different holidays than us. You tin can tell who y’all’re being attacked by going, “Oh, this is a holiday in this function of the globe. Suddenly I’m not getting attacked.”

The Attackers Take Days Off Too

Eric: Like Chinese New Yr may not be a large day to get after the Americans?

Richard: It could be. I don’t know why you’re picking on Prc, simply yes.

Eric: I’m picking on everything.

Richard: It certainly could be a correlation that it’s a lilliputian scrap quieter on networks for certain kinds of set on on those days. And so the attackers take days off likewise, non always the aforementioned ones that nosotros do. But there’ll be a lot of scanning. When you recall near attacks effectually Christmas, 1 of the interesting things is trying to route or own all the electronic gadgets that people all turn on for the first fourth dimension and put on the cyberspace.

That’s an interesting target. It’s not commercial, it’s very personal. Merely all those devices become a target. From a corporate network standpoint, the attackers do have a little chip more than time because it’s usually a skeleton crew. Just one of their favorite means of getting in, which is phishing, has been taken away from them. People just don’t practice equally much email over Christmas.

Eric: I feel like I practise more personal, less work. The number of, I call them phishing emails, but it’due south just really vendors trying to become my business over the holidays here is massively up. I go through electronic mail much faster every bit a result of the volume increase, and so I pay less attending. Now, I’m non clicking on things other than the delete push button ninety% of the time, maybe more than. But I exercise feel that just due to the book, your guard is probably down a niggling fleck. I’m more careless. Personally, not at piece of work.

A Proficient Phishing Electronic mail

Richard: Only a skilful phishing email will catch you offbeat. Some of the stuff that’s out there is really very expert. Some of the pretexts that get fix are very good. We have companies. Nosotros’ve got all kinds of tricks that allow us to practise what nosotros do.

Eric: Then, Rachael, board member, we’re now off of a Log4Shell here. It’s still a major concern going off the holidays considering the adversary does have access. If they’ve gained access, of course. If you weren’t able to patch in time or they gained entry earlier you lot patched.

My approximate, Dr. Ford, would be that there aren’t as many defenders working either. Then if a nation country or a adamant bad actor really has rule of the roost in many cases. That’s the trouble we have.

Richard: It can be very bad for people borrowing in. I will say that even today, we are still discovering vulnerable versions of Log4j in people’southward infrastructure. Fifty-fifty today, just this morning, we had some other.

Eric: Well, you said you’d exist doing it for the residual of time.

Richard: We’ll be using this for a while. If we are using it for a while, media attackers volition be using it for a while too. This has been one of the craziest two weeks that I’ve had in my career.

Eric: That’s why it’s so serious in your listen.

Richard: Aye, considering it’s this weird, subtle vulnerability where it’s not just the internet-connected things I demand to worry about. It’s anything that handles data that an attacker tin taint, whether that data comes through HTTP or DNS, or, God aid you. I might be able to OCR this into your organization, which is crazy.

[25:34] Log4Shell Is Not Sexy

Richard: There’s some really crazy vulnerability channels. It’s not simply, “Oh,” it’s non like Heartbleed, where you know you got to go patch a sure version of TLS. If it’southward non talking TLS on the internet, information technology’s probably okay.

Eric: However, we’re treating it. Even Heartbleed had an interesting name, no criminal offense, simply Log4Shell is like, eh. It sounds like a Unix app.

Richard: Information technology’south non doing information technology for you? You’re not a large fan.

Eric: Information technology’s a problem. A lot of the people I talk to, when you look at the news, I don’t retrieve people empathise the severity of information technology. The name is part of it, it’s not sexy. It’south non something that’southward like, “Oh, well I better care most that.”

Rachel: It’s not like the media express.

Eric: You worked your ass off for the terminal two weeks. I got to tell you, I didn’t work that hard on it. Our teams did. I didn’t have a lot of customers dialing us up and proverb, “How exposed are we? Where’due south the problem? How do you help us?” We normally become that. I would like a lot of my peers and a lot of people I know in the manufacture, unless they were super technical, they didn’t tend to have the same level of business concern either. That’s a trouble.

Richard: I was calling people on Sunday nighttime when I realized how bad this was, just quondam friends. So non customers, just sometime friends.

Eric: What’d they say?

Richard: “How have y’all looked at this? Well, I knew at that place was something going on. Is it bad?”

Eric: It’s similar logging, who cares? Nobody cares about logging. It’southward like backups, not that of import.

The Worst Vulnerabilities

Richard: Tuesday morning, I got a lot of thank you calls. It was prissy.

Eric: They really saw the level of severity, but do you remember the majority of the industry sees it that manner? You described it every bit probably ane of the worst, if non, the worst vulnerabilities or attacks that you’ve seen in your career.

Richard: I don’t say that because I’thousand going to make more money. I don’t say that considering I’thou trying to spin it upwards, I say it because I recollect it might exist truthful. It’s only got all these weird artillery and legs that have made it very unpleasant to fix. I can imagine things that would exist worth information technology. They were more hardware-based, considering they’re just a animate being to recover from.

Eric: But have yous seen them?

Richard: Yes, we are close with some of the spectrum meltdown things simply there were means effectually it. The point there is that those things were esoteric. They were hard to exploit.

Eric: Think most the calibration, the level of access. We’re going to run into this down the route. We may not be able to link it back, only we’re going to see it with data exfil cash exfil, peradventure some espionage sabotage. We’ll see different types of downstream consequences. I don’t don’t even know if we’ll be able to link it back in many cases, but my gut.

Rachael: I think people also, though, the other function are people merely exhausted. “Information technology’s just notwithstanding another thing. It’ll work out. Nosotros’ll take enough patches come through. It’ll work out. We’ll just ride the wave.

A Barbarous Industry

Richard: There’s a reason there’s pretty brutal burnout in our industry. We joke most that as industry insiders, but this is a brutal manufacture for people just burning out. You lot are on that hamster wheel of pain. At some bespeak, you get numb and you go, “Yeah, it’south this remote thing that I can nail with a string. How bad can it be?”

Rachael: It’s almost similar this thing that we have to alive with like we were talking about before. You offset looking at endemic situations and cyber is like that. Information technology’due south just this awful affair. I guess people are just getting used to living with information technology being awful all the time. Information technology’s just chock another one on the mail of things happening.

Eric: How do nosotros forbid information technology? It’s this small, fundamental piece of code that’due south ubiquitous, it’south everywhere. It is going to stick effectually for a while. How practise we prevent the adjacent one? What could nosotros have done, dorsum in the day to prevent this?

Richard: Static analysis of code can help. The theory is by having everything open source, these things shouldn’t happen. I will offering Log4Shells. People are looking at it.

Eric: They’re open source when they do happen. A lot of people have been looking at information technology and using it and the problem is larger.

Richard: Potentially so, yes. This is a really difficult problem. A better arroyo is to say, “What are the things that I need to take taken intendance of before the side by side version of something similar this happens? So that when this happens, I tin react very quickly.” Cybersecurity is a game that is not won by the potent, it is a game won by the quick.

A Skilful Asset Inventory

Eric: What you’re saying is regardless of what the exploit is or the vulnerability, if you have a system, if you take an arroyo when that vulnerability or exploit appears, you volition be able to more than quickly deal with the environment that y’all manage?

Richard: Yeah. And so do you have a skillful asset inventory? Do you know how to continue the inventory upwards in real-fourth dimension? Because you can’t do it in spreadsheets in the deject.

Eric: Or in a crisis?

Richard: Yes, because it represents what the network was maybe some fourth dimension ago. You demand to be automated, you need to be able to look at it like an attacker would look at it. And you need to exist able to filter all that noise, considering what is the CISO non wanting? The 1 matter that the CISO does not want is some other blinking light.

If I offering the Richard Ford patented blinking light service to a CISO they’re just going to look at me funny and go, “No. I got plenty of blinking lights. Nosotros got lots of blinking lights. Some of them even glimmer on of import things, but I’m not dealing with them.” Nosotros need to de-nice the world for the CISOs to tell them nearly what really matters. A good example is if I scanned your network, I’m sure I’d detect things that were out of date.

But I shouldn’t tell you nigh all of them, I shouldn’t fuss you about all of them. I should tell you lot about the three that are causing yous the most pain, that give you the most vulnerability. The ones that I could exploit today, not the ones that are vulnerable to some theoretical vulnerability that I’ve never seen anybody nevertheless breached by.

The Priority Level

Eric: You started with this as saying you lot don’t need physical admission. That’south a problem. If you need concrete access, I would lower it in the priority level, take a chance level.

Richard: Your physical access point is very well made. When the storm isn’t raging, nosotros have to exist taking these preventative steps to sympathize what our attack surface is and who manages it. Half the fourth dimension you find a box in your IP space. Y’all’re like, “I have no idea who owns this box.”

We’ve dealt with customers in the last 14 days where they’re like, “Well, yes. Y’all’re hit this box on our network and aye, nosotros tin come across it’due south vulnerable. We don’t know whose information technology is.” Well, it’s yours, because information technology’s on your network.

Doing a actually adept job of understanding where everything is helping you because you are non scrambling when you could. Then if you had good software bills and material, you could very rapidly run a query against that database and go, “This, this, and this. Those are the boxes I need to shut down,” or “Those are the boxes that I need to mitigate.”

The challenge, I accept zip just love, affection, and respect anybody who would accept the job of CISO right at present. You are a crumple zone at the front end of the machine that takes the impact when something bad happens.

Eric: You don’t win. The best you lot do is crumple well and protect people. At that place’s no upside?

Richard: It’southward a very difficult job. You can’t hire people, you lot can’t retain them when you do hire them. The salaries right now are stupid across words, for some of these positions.

[34:23] Vulnerabilities That Are Coming at You lot

Richard: And so y’all have these vulnerabilities that are coming at you all the time while you’re being told to advance the transition to work from home or accelerate digital transformation or any it is that is mission-critical.

Eric: Reduce toll or whatever information technology may be. It’s a really hard task, and then nothing just respect.

Richard: I’ve worked with remote CISOs the last couple of weeks who are simply putting in crazy hours. They and their teams, sleeves rolled up trying to bail the brawl. And then I don’t want anything I say to be similar, “Oh, we demand to do better every bit a team. We all demand to work harder.”

That’southward merely not realistic. We need to work smarter and exercise the things that matter and not just run around and try and pouch for everything.

Rachel: Only equally we talked nigh in the past, sometimes people demand that impetus to go out. Do these things that they should exist doing, similar with the whole Colonial Pipeline. Biden got involved and made it a thing and, “Oh crap. We demand to exercise something.” Just until the bottom falls out, are people going to do half of that inventory? Or are they going to become ahead of it or just recollect, “Nosotros’ll be okay?”

Richard: Nosotros’ll be okay. Nosotros’ll await till adjacent time.

Eric: You’re so busy, that’south what yous’re proverb. You’ve got to prioritize but you can’t get in. Everything’s number one.

Rachael: How practise you start knocking those off the list if they’re all competing with each other?

Richard: You have to have a strategy and and so you lot merely have to manage it really well, you lot can practise it.

Doing the Things That Thing Most

Richard: The job of a CISO is about managing resource constraints every bit much as information technology is virtually security and doing the things that matter most. That’s one thing that, equally an industry, we haven’t always done very well. It’southward explaining to the customer what actually matters well-nigh, because usually what matters nearly is what yous’re trying to sell.

That is such a bad way to exercise anything. What matters most is the thing that’s going to harm your customer well-nigh. Even if that’southward not what you sell, that’s what you lot should focus on. There’s and so much coin floating effectually the cybersecurity industry. It’southward very easy for the most important affair to be the widget that I’m selling today.

Eric: That’due south what I see. I’ve seen it throughout my whole career. We spend time on ownership things as opposed to we’ve spent a lot of time talking about trust. We need to talk almost risk, understanding gamble, and nosotros rarely get into a chat with that. Every bit a product vendor, it’southward commonly, “Here’south a listing of requirements, which ones do you encounter?” Information technology’s like, “Well, wait a minute, what are you trying to attain? What are you trying to exercise?” That’s really hard for customers because they want to purchase products.

Richard: No, that’southward exactly right. Ane of the things that we’ve washed as an industry. It just hasn’t worked. If we get into feature wars with each other, “I’one thousand going to accept more features than Rachael’due south production has. You can have different colored dots on the map, instead of even so.” We should be focusing on offer cost security value rather than features.

ServiceNow Integration With Log4Shell

Richard: It doesn’t matter what my ServiceNow integration necessarily looks like if I can terminate yous from being breached. You didn’t buy me because I integrate well with Jira; you bought me because I can stop you beingness breached.

Eric: You should desire to buy an outcome or a effect fix, not a bunch of blinking Richard Ford lights in a box?

Richard: I wish more people spoke at that. You lot are ownership an consequence, but usually y’all’re non selecting based on outcome. You’re selecting based on features.

Eric: We’ve washed a lot of sales training. I of the things Steve Thompson, famous sales trainer in the industry talks about is, “Are you selling a quarter-inch drill flake or a quarter-inch hole?” Information technology’s very basic, only as a salesperson it’s like, “Well, nosotros spend so much time selling the drill. But what the customer should want and many times does want, is a quarter-inch hole.

That’s why they’re ownership the drill and the drill bit and everything else. So if I tin can provide the whole, do you care how I get information technology done?” Merely the same thing here, what are you lot trying to accomplish? What outcome are yous trying to accomplish? How do we help you get that? Who cares about the blinky lights?

Richard: What the CISO really wants is to exist able to slumber at night. To be able to exist on that beach and really look at the sand as opposed to look at their cell telephone and see what the latest.

Eric: Today, the sales guy gets to do that, or gal. The sales people go to hit the beach and sleep because they simply sell the widgets. We need to change the industry a piffling scrap.

Who Get the Mission

Richard: We do. It’s one of the things that we have in common. From my fourth dimension at Forcepoint, especially with G2, people got the mission; the government side of the firm, they got in the mission. They understood that the job was stopping bad people and allowing proficient things to happen. That’s the nice thing about Praetorian as well. It’due south a lot of folks who get the mission that we’re the watchers on the wall trying to allow you to have a safe, prosperous, and healthy business concern.

As a whole, sometimes we do drift a little chip on the mission. It’south especially bad because this is such a hot space for investment. You tin become into cybersecurity for love, which is how we got into information technology. In that location wasn’t a cybersecurity industry when I started.

Eric: We’re fixing problems. This is cracking. Now nosotros’re tired.

Richard: Or y’all can get into it to brand a ton of money.

Eric: You don’t even have to be good and you make a ton of money.

Richard: The outcomes for the customer, though, look very unlike in those two worlds.

Eric: We’re coming up on Christmas time at this bespeak. Skilful luck with Log4j and Log4Shell. I certain hope we brand some progress here and our defenders don’t work harder than they have to. Just I really exercise hope they protect our businesses, our organizations and our people. That would be my wish.

Rachael: Get a adept dark’south sleep, too. That would be good, too.

Richard: Well, it’s been a pleasure. Thank you so much for having me on. Information technology’s ever fun to hang with yous all.

Nigh Pregnant Events of Our Fourth dimension

Eric: It was great, and thank you lot for educating united states. Give thanks yous for educating our listeners. At that place are a lot of vulnerable systems and organizations out there. We’re just going to have to do our best and deal with them as we do. But I hope Richard is incorrect that this is not ane of the most pregnant events of our time. I think he’southward right.

Rachael: In my history of knowing Richard, he’s ever normally pretty right.

Eric: He’southward usually spot on. Not only does he know things, he sees things. He knows what’s going to happen. That’s what makes him such a groovy guest and person to talk to.

Rachel: 100%.

Rachael: Great to have yous, Richard. Hopefully, you can come back again presently. Cheers to the lovely woman on Twitter who did give u.s. a shoutout on the podcast. We profoundly appreciate the feedback. For all those folks out at that place, you can become a fresh new episode every single Tuesday right to your inbox if you striking the subscription button. It’s really that piece of cake and you get Eric and Rachael and at present, Richard, delivered to you on Tuesday.

About Our Guest

Dr. Richard Ford, CTO - Praetorian





Dr. Richard Ford
is the Principal Technology Officer of Praetorian. He has over 25 years of experience in computer security, working with both offensive and defensive technology solutions. During his career, Ford has held positions with Cyren, Forcepoint, Virus Bulletin, IBM Research, and NTT Verio. In add-on to work in the individual sector, he has also worked in academia, having held an endowed chair in Computer Security.




He worked as Head of the Calculator Sciences and Cybersecurity Department at the Florida Institute of Engineering science. Nether his leadership, the University was designated a National Center of Academic Excellence in Cybersecurity Research by the DHS and NSA. He has published numerous papers and holds several patents in the security surface area. Ford holds a Bachelor’due south, Master’southward, and D.Phil. in Physics from the Academy of Oxford.

Source: https://www.forcepoint.com/resources/podcast/log4shell-holidays-dr-richard-ford-ep-164

Check Also

Will Dogecoin Go Up In Value

Will Dogecoin Go Up In Value

On Dec. 6, 2013, Billy Markus and Jackson Palmer decided to combine their dearest of …