- Zero Trust
January 6, 2020
Hosted by JD Sherry, Chief Strategy Officer, Remediant
We’re excited to have Ann Barron-DiCamillo, Citigroup, Managing Director, Global Head of Cybersecurity Operations on our latest video podcast. JD and Ann discuss some of the hottest cybersecurity topics of the past couple weeks including the latest SolarWinds breach, incident response preparation, cloud and digital transformation. They'll also discuss staff development and continuing education to stay ahead of the fast changing security environment.
Hey, everybody. Welcome again, back to Cyber Whiskey, Water, Wine, Wednesdays. My name's JD Sherry, chief strategy officer for Remediant, it's good to be with everybody again. I am so excited about this week's podcast, lots of things to talk about. But more importantly, it's an honor to have really one of the industry's luminaries when it comes to cybersecurity in both public and private sector, financial sector, please welcome Ann Barron-DiCamillo to the program. Ann is a long-time friend of mine and I have a tremendous amount of respect for what she's done in her career and what she continues to do. And we've got some exciting stuff that we want to talk to you about in the new year that she's going to announce, but Ann, would love to welcome you to the program. Thanks for coming and we've got our wine today, so cheers to you.
Cheers, thank you so much, JD. Oh, I have to drink.
Yes, you bet. And I would love for you to talk about what you've got new going on in 2021 and tell everybody what's new.
Sounds great. Thank you so much, JD, for having me, I really am excited about talking about cybersecurity things today. This week has been a interesting week for a lot of us in the cyberspace, so lots of things to get into but before we get into that, I'll get a little bit of overview of my news for 2021. So previously, I was the vice president for cyber threat intelligence and incident response, another wordy title, at American Express, where I ran global cybersecurity operations. But as of the beginning of 2021, I'll be taking on a new role at Citi group where I'll be a managing director, global head of cybersecurity operations for Citi.
So excited about that. I'll be responsible for all cyber operations, including assessments, monitoring, detection, intelligence, incident response, recovery, the whole gamut of incident response from end-to-end. The security operations center will be part of my organization, the cyber fusion centers, which includes things like red teaming and pen testing, and a lot of different aspects of that. And then the vulnerability assessment team, so I'm excited about this because it's taking on new areas for me, or new experiences and new capabilities. And working with a really tremendous group of folks over there, they have some amazing talent and I'm just excited about joining Citi in 2021.
Congratulations, that's fantastic -
... and so well-deserved, for sure. I do think that for many of us, you've forgotten more about incident response than we'll ever know, just because of your background. So with things that have been coming out of 2020 and gosh, thank heavens we're out of 2020, right? And in 2021, we hear more of some of the collateral damage from the SolarWinds breach, certainly with your background in the federal government and in DHS. We've seen a number of agencies come out of this that have been impacted. What these folks dealing with right now, for people that are professionals and in the IR space, but maybe those that don't quite understand the gravity of what these kinds of breaches do to an organization? What are they dealing with right now and what are some of the things that they're scrambling to get mobilized?
So I think the institutions that have a really strong cyber security incident response plan and not only have a plan, but they've exercised it repeatedly will just go right into that plan. And they have a much easier time of dealing with this instead of hair on fire, which happens if you don't have an incident response plan. If you haven't exercised it, it does become a hair on fire situation. And so I think those institutions that have those pieces and parts, and they've done the homework to make sure that they've exercised it in different ways you can stress test it. I know at American Express, we would do multiple exercises internally, externally, across the sector, with government, just to make sure that when a bad day happens that we don't just default to everything's escalated and there's no rhyme or reason to how you're responding.
So, I think the institutions that have that are much better able to deal with the situation that hit, it was 18,000 companies this week. That's a large group of institutions and entities that are dealing with a really significant actor set. You hear about advanced persistent threat, this one is legit and I think knowing that there's a lot of folks that are really going through the efforts to button things down and to validate. And everything across the board is being looked at, but those who have that response plan, I think have a measured way as well as a prioritization. It really helps you prioritize which things you need to focus on first and making sure that you're doing the right communications at the right levels both across the enterprise, as well as up to senior leaders, to board, to regulators, to sector partners. I think having that plan, it's captured and it really helps ensure that you're not missing things along the way or duplicating efforts.
Yep, exactly. It's key when you talk about leaning on a good malware plan. Do you feel like organizations rehearse that enough to where they're doing tabletop exercises and all of that to try to simulate that, or do you think that's still a pretty weak spot in most organizations? Even that have the resources, let alone the companies that don't have resources to even think about an IR plan, right?
Well, they always say, is it the Sun Tzu, The Art of War, no plan with no amount of... What is it, what is it? The plan doesn't... The first touch with the enemy, your plans go out the door, right? I'm summarizing because I forget Sun Tzu's exact saying, but basically, I think the plan still helps you kind of... It's nothing ever happens per the way you've exercised it, right? But having a plan helps you at least make sure that there's not some huge gaps associated with how you go about addressing this, I think our institution is doing enough. Some institutions I think are, the financial service sector is definitely prioritizes exercises and resiliency and recovery. Having been a part of it now for four plus years, I think they prioritize this. They have teams, they have the capabilities, they have ranges. They're engaged in communities of interest from FS-ISAC, to working with Homeland and Treasury and others, domestically as well as internationally.
And so I think there's a lot of good effort that goes into it to help them on the... I can talk to the financial sector side. I think where companies that are probably going to be struggling are some of the medium to smaller sized companies that don't have exercises or don't participate in them as often, and maybe they've only stress tested their plan once. I think that's probably going to be a little bit more difficult, but it's definitely an important component part of the security operations center, cyber fusion center, whatever you're calling it, to make sure that you have an exercise team. And that you're doing not only tabletops but live drills or live range activities, either in a range or even in a production environment, you can do both.
I think doing both is really important. Having a red team do activity within your environment, obviously a BAU is better because then your analysts respond to it as they would in a normal event. When you take them into arranged, sometimes there's a bit of falseness that can happen there. But the blend of both and having those opportunities for training, because that's really what exercises comes down to is training and helping make sure that on a bad day, or a bad week, or whatever, a bad month, that they know what they need to do and take the proper steps to help mitigate and contain.
I like to call that purposeful practice, right? When you practice something, there's a purpose for it and in this case, it's the dress rehearsal for a really bad day for a lot of companies. You brought up something that was interesting around the red teamers and for something like this, have you seen in your past, with what you can disclose... The thing that floors me with things coming out of the SolarWinds impact is that it's not so much that the SolarWinds platform was breached. That certainly was the element that's spread and distributed the malware, that was the distribution component. But really once they got in there, it was all about getting credentials and moving [inaudible 00:00:09:00]. So with red teamers, do you often see that that's... As much as these breaches use admin credentials as the main mechanism to move laterally, do you see this similar thing in the red team preparedness when they go at things, that they're seeing admin credentials as the easy way to get into things too?
Yeah. I think that's the, not the Holy grail but that's the... If you have a task for a red team, right, they have a task of which they're trying to achieve. And most of the time in order to achieve that, they're going to have to have some aspect of credentials. It doesn't always have to be admin, I think we're seeing now there's still ability for normal user credentials to give them some type of access to certain aspects if you know the infrastructure and you know the entities. But both of those, just having access to credentials is a fundamental part of a red team exercise and ensuring that they can get to that task. There's many channels and many ways to get there but most of them, almost all of them, are going to require some aspect of credentials in order to achieve that goal.
I mean, because I think that's what folks are dealing with now and it's like, okay, well how do we clean that up? Because they may be able to patch SolarWinds and they may be able to do other things, but the admin access is still out there. And depending on where the attacker is and where they're hiding, and where they've been able to maintain a sleep cycle or a clandestine presence of other admin accounts, it's really tough to get them out in the form of a, for lack of a better term, like a whack-a-mole to get the attacker out of the environment, right? With the admin access. So I was really keen to get your thoughts on that, having run red teams yourself.
One of the things that I'm really keen on with the people side of how you're developing your large organizations, what are some of your strategies that you're working with? Maybe your new folks, both male and females that are trying to break into cyber security, what are you really emphasizing as you grow the people component in your organizations to just make them better individuals and employees, but also level up their skills from a cybersecurity perspective?
I think a lot of folks ask, "Should I get a certification? Is there a certificate or is there some type of course work that I should do in order to get into the field and then once I'm in the field, in order to get to that next role?" I think organizations have, like AmEx and Citi and others, have put together a matrix of roles to requirements, to experience. So that way you can say, "Okay, I'm starting off as a security operation analyst, maybe right out of college, which is a great way to start but in three years, I want to be maybe a hunt and be on the hunt team. Or I maybe I want to get into threat intelligence, or maybe I want to do the red team."
Helping them understand the level of experience, what kinds of things they need to have, and then they can try to map that into their role so they can get that experience, as well as sometimes it does take certifications. Or it does take some aspects of what you would get from a certification through experience. We do the five-plus things where it's five days you can go and do training, and one of the analysts on my team really wanted to learn more about Elastic and the whole Elastic platform. And he built one at home and spent five days understanding the differentiators between Elastic platform and what you get from a traditional SIEM infrastructure and what the benefits and the textures are on each and how do they work together?
And so I think there's also an aspect of self-learning, there's a great article I read about cybersecurity professionals. It's a continued education throughout your career, even into senior executive levels, I'm doing cloud guru training myself right now. And so I think understanding that you're going to be on a continued education path throughout your career and then you map that to the next role that you want to do in conjunction with experience. And then having an organization that helps you see what those matrix of opportunities are and help you create that path, I think is a winning combination and why some institutions are probably better at retaining talent. And better at recruiting talent because they have these established programs in place to help, because it's all about education. It's all about training in our industry and if somebody will help pay for that and help provide that to their colleagues, I think it's a differentiator from a job seeker's perspective.
That's brilliant. You hit on something that really resonated with me, that I think is fundamentally different in our industry than finance or something like that, where so much of our environment and theater and landscape changes almost on a daily basis, right? Where the attacker's literally on multiple steps, if not miles in some cases, ahead of us. And so that continuous learning is so important to try to stay current and that's a little bit different than a finance executive that yes, that experience matters, but finance in the most part is kind of finance, right? It's definitely going to follow along certain swim lanes with us, and we get something new every single day, right?
Think about 2020 and the changes we saw with ransomware coupled with extortion, the double-edged sword. In 2017, no one saw ransomware act that way or those campaign and actors behave that way. But this year, that's predominantly the only way you're seeing ransomware as it's coupled with that extortion component, and I think it's really changed the way organizations respond to ransomware. I think in the past, a lot of organizations didn't feel like they would pay the ransom, but now it's a brand reputational issue, it's a customer exposure issue. It can take down a business and it's created all these cottage industries that have popped up. There's actually ransomware negotiators now, isn't that crazy?
So yeah, the industry that we work in, what we see in 2020 and versus where things will be in 2023 or 2025, I can only surmise but I definitely think it will be a very different response... Or incident response responsible look different in a few years than where it is today, just because of automation orchestration. There's a great article I read about, it'll be like the water treatment systems and which is a different way to look at it, too. So there's a lot of great thought leaders out there that are thinking about where this industry is going because of the collective response of large corporations and government entities working together on things, like we've seen this week.
You touched on some of the continuous improvement you're doing around cloud. I'm curious to get your thoughts on, from your background, the everybody's sprinting through digital transformation to the cloud. It seems weird to even say that, but we are having companies come in a little bit cautiously late for variety of reasons, to just feel comfortable. And those environments have their fair share of incidents and outages, and it's still somebody else's data center that you have to deal with, right? And you have to bring your processes with that. What are you looking at in 2021, from a cloud perspective, either from leveraging it for your team to incorporate the ability to do labs, templates, tools? And then the second part of that question... So that's for the good. The second part of the question is, what are some of your concerns still with cloud ecosystems, in particular for financial institutions?
That's a big question, but I would say, I think you're... Because we're such a heavily regulated environment, we have had financial institutions in general have had a slower adoption with the cloud environments because of just the onus of the regulatory environments. Not only to say we're also managing the monies of everyone around the world, and so the regulatory aspect and then just the lens of the kinds of data that we have within our data centers has really slowed the adoption. And the running towards the cloud that you've seen in some industries, it's not happening as much in the financial services. And I think it's been very thoughtful with the prioritization of the types of data that you're going to put into the cloud.
Are we going to jump forward and put PII data out there? Maybe probably not for our initial, I think there's going to be a lot of thoughtfulness, and there is a lot of thoughtfulness that's put towards starting off in the cloud. And get in hardening what you're doing and then there'll be a trickle growth or adoption associated with that and it'll just start to blanket it. I do think there'll still be a lot of large institutions that will have a hybrid approach, meaning that we're not going to all go in to a cloud adoption. Or we're not going to all stay in a traditional data center infrastructure either, there'll be some aspect of a hybrid approach that will most likely be the norm going forward for large institutions trying to leverage the inherent capabilities, the inherent underlying aspects of why you want to go to the cloud.
I think you're seeing a lot of institutions that did lift and shift without thinking about what they were getting in the cloud, that didn't get the benefits of why you go to the cloud. And so I think there's some folks that have changed from that as well, to make sure that you're you're leveraging the cloud container environment because you want that capability that comes with that. So then you have to think logically about what types of data and what kinds of applications, and in some things are going to be in the cloud and some things will be in a data center. And there's some aspect of collaboration between those two environments that's got to happen, but it's a measured way. And I don't think there's... There's not one way or one silver bullet for any institution.
I think every institution I've talked to is doing it differently and all with this approach towards possible pivoting as you do something too, that maybe isn't the right initiative or adding additional things to it. And really working closely with those individuals that are experts in the cloud environment, to make sure that you're getting that knowledge from them. That's why I'm doing the cloud guru training because I have exposure to it, but not to the extent that some of these folks do. And I think we all are... Continuing education, it's a great thing to add to your list, your five-plus, because it's going to be a requirement for more and more of us to become semi-experts in different aspects of it.
Awesome. I think in the last closing thought on cloud, in security for many moons, we talk about cloud and security not necessarily being intrinsically connected, right? So really, a simple way to think about it is security should be a way for people to do digital transformation and move to the cloud quicker, not necessarily slow things down. And I have taken up a lot of your precious time, thank you so much. Congratulations on the new role.
I think I'd say this, that 2021 is going to be a great year, so thanks for spending some time with me to start this off. And I really look forward to working with you in 2021 and all the great things you're going to do there at Citi.
Thank you. Thanks so much, JD. I hope you have a very happy holidays and I look forward to connecting. And hopefully once we have an opportunity in person, one of these days as well.
Absolutely. Thanks, Ann.