Protecting Your Organization from Cyber Criminals


Bill Russell / Dr Eric Cole

Eric Cole - This Week in Health IT

About this guest...

Share Now...

Share on linkedin
Share on twitter
Share on facebook
Share on email

Show Sponsor(s)

January 27, 2021: Today’s focus is defense. How do we defend the security of our health systems in a scalable way that works? Dr. Eric Cole, former CIA professional hacker and Founder of Secure Anchor gives us the lay of the land. As companies expand their digital offerings they need ever evolving strategies to safeguard their most critical data. There’s strong perimeters but not a lot of internal security. Once a cyber criminal gets in how do you stop them? What can we do to protect ourselves from ransomware? How do you hire, train and retain world class security staff? What kind of qualities should you look for in a CISO? If you outsource your security how do you determine if they’re doing a good job? How do you redo a security budget? Is it education? Prevention? Detection? And what about external business associates that have access to your network? Call centers, insurance carriers, innovation companies, pay centers. We are just poking holes into our network to allow information to go back and forth. How can we do this better?

Key Points:

  • You need to recognize that your organization is going to be a target [00:04:32] 
  • Cybersecurity is not about prevention. It’s about timely detection. [00:05:14] 
  • A big challenge in security is knowing your assets. There might be servers that are accessible from the internet that your organization is not aware of. [00:07:28]
  • Your security budget is probably way over on capital expenses and way under on operational [00:09:59] 
  • The best security staff have analytical type skills. It’s all about problem solving. [00:13:05] 
  • Everyone’s focused on inbound prevention but the goal and the way you win this game is outbound detection [00:19:35]
  • Security is 3 things: Confidentiality. Integrity. Availability. [00:38:25] 
  • What are the tools of a threat hunter? [00:39:12] 
  • Secure Anchor
  • Dr. Eric Cole YouTube

Protecting Your Organization from Cyber Criminals with Eric Cole

Episode 357: Transcript – January 27, 2021

This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

[00:00:00] Bill Russell: [00:00:00] Thanks for joining us on This Week in Health IT influence. My name is Bill Russell, former healthcare CIO for 16 hospital system and creator of This Week in Health IT, a channel dedicated to keeping health IT staff current and engaged. 

[00:00:17]Special thanks to our influence show sponsors Sirius Healthcare and Health Lyrics for choosing to invest in our mission to develop the next generation of health IT leaders. If you want to be a part of our mission, you can become a show sponsor. The [00:00:30] first step is to send an email to [email protected]

[00:00:35]Your response to Clip Notes has been incredible. And why wouldn’t it be? You helped create it. Clip Notes is an email. We send out 24 hours after each episode airs, and it has a summary of what we talked about. It has bullet points of the key moments in the show, and it has one to four video clips. So you can just click on those video clips and watch different segments that our team pulls out that we think really captures the essence of the conversation. It’s a simple to [00:01:00] sign up. You just go to this week. Click on subscribe, put your information in there and you’ll start receiving, uh, Clip notes. After our next episode airs, it’s a great way for you to stay current. It’s a great way for your team to get to stay current and a great really foundation for you and your team to have conversations. So go ahead and get signed up. Get your team signed up and begin getting clip notes after the next episode. Now onto today’s show.

[00:01:24] Today. We have Dr. Eric Cole with us to talk cybersecurity. Good morning, Eric. And welcome to [00:01:30] the show. 

[00:01:31] Eric Cole: [00:01:31] Thank you for having me. It’s a pleasure to be here. 

[00:01:33] Bill Russell: [00:01:33] Wow. I’m looking forward to this conversation. There there’s so much going on in healthcare, around cyber and and just the whole the whole framework of security.

[00:01:42] We have the recent attacks, the breaches, and we’re going to cover a lot of ground here today. Cause I’ve followed your stuff on LinkedIn and I really, really appreciate it. A lot of stuff that, that you’re saying before we get there, though, I want to sort of set your credentials. Tell us a [00:02:00] little bit about your cybersecurity background and a little bit about yourself. 

[00:02:04] Eric Cole: [00:02:04] So I began my career back in the late eighties, early nineties at the CIA and I was a professional hacker. So I was on the offensive side and I was your super geek, right? Put me in a lab with a lot of computers and I was happy, but after eight years of doing that, two things happened.

[00:02:20] One, I got bored. Because you can always break into a system. There’s always ways in, as long as you have functionality, there’s going to be exposure [00:02:30] points. So it got easy. So I switched my focus to really focus on defense. How do we defend and protect against it in a scalable way that works for organizations like healthcare?

[00:02:40] And the second thing I realized is that I like to be my own boss. I don’t like to work for stupid people. Don’t mean as a negative, but I’m just not good that way. So I don’t always do what I’m told. So I became an entrepreneur cybersecurity and I bought and sold a few companies. So I had TSCI. We sold that to Lockheed Martin [00:03:00] and then Bob Stevens, the CEO at the time kept me on as his chief scientists focus on all cybersecurity breaches for all of Lockheed Martin.

[00:03:08] I then went to McAfee and redesigned their entire product line and we sold that right to Intel. And now I’m running my own company, Secure Anchor and really my focus for the last four to five years is on cybersecurity strategy and leadership. Because to me, when you really fundamentally look at the problem you don’t really have good cyber security thought leaders. You have [00:03:30] really brilliant world-class technical geeks that can program track or do anything. But when you really have cybersecurity people, there’s very few that can step back, understand the business, look at what business you’re really in. And instead of implementing security that disables the business, I’m all about how can you implement security to enable the business to be more successful?

[00:03:53] Bill Russell: [00:03:53] All right. Here’s where we’re going to go with this. We’re going to role play a little bit. I’m going to be the CEO for a major health system, and you’re just going to [00:04:00] do you, you’re going to do the CISO. I’m going to help you to defend and those kinds of things. I, so here’s, I guess my first question is what do I need to know as the CEO of a health system?

[00:04:13] That I’m trying to expand my digital offerings. I’m trying to make healthcare more accessible in the community. I’m putting out digital tools, we’re doing remote patient monitoring. We move people out of the home. We’re doing a lot of things that we haven’t done before. What do I need to know as a [00:04:30] CEO of a health system?

[00:04:32] Eric Cole: [00:04:32] First, you need to recognize that your organization is going to be a target. You are going to be targeted. The other thing you need to know is that the probability that your organization is already compromised is probably as close to a hundred percent as you can get. So the adversary is already in and has access to your network.

[00:04:52] So now what we need to do is how do we design security in a way that even if somebody is within your environment and [00:05:00] network, we can still protect and secure the critical information and the critical data. And that’s what it really comes down to is what is the most critical data to your organization? And what measures can we put in place to protect secure and get visibility? 

[00:05:14] So cybersecurity is not about prevention. It’s about timely detection. So I need to understand your business. I need to understand how you make money so I could put the proper visibility in there. So when breaches do happen, we can minimize the [00:05:30] control damage.

[00:05:31] Bill Russell: [00:05:31] All right. So you’re saying as the CEO, first of all, you’re in true to form. You’re scaring the crap out of me. And and that always happens whenever I sit across from people like yourself who’ve hacked  organization and know the vulnerabilities you essentially say, look, I can get in. We can get in. 

[00:05:53] And my history would prove that I, I share the story sparingly on the show, but I’ve shared it before where [00:06:00] we had an internal auditor. I went to him. And my team had come to me and said, Hey, I feel pretty good about our security setup. I said, great. Well I’ll test that out.

[00:06:10] So I went to the internal auditor. I said, look, here’s the deal. What’s your fee for your normal security, penetration testing. Can you get in hackathon kind of thing, getting getting into our system. And they gave me the fee, it’s pretty high as you would imagine. I said, all right, here’s the deal?

[00:06:28] If you can get in and get to certain [00:06:30] assets, I’ll pay your fee. But if you don’t get in, I’m not paying your fee. And within 48 hours not only had they gotten in, but they essentially had the lay of the land. And we’re not talking about a system that was underfunding security. We were spending, I dunno, 6 to 9 million dollars a year on cybersecurity, and we still couldn’t keep them out.

[00:06:51] Now they were people with credentials like yours. They had a team of people that former NSA, whatever, but they were using [00:07:00] very let’s just say not very sophisticated ways to get into our system but once they got in, they use very sophisticated tools to to really have their way across the broad network and access.

[00:07:18] Is that still what we’re worried about? We’re still worried about people coming in doors that we just leave open but then they use sophisticated tools to go wherever they want? 

[00:07:28] Eric Cole: [00:07:28] So the two biggest challenges today [00:07:30] with health care organizations is one servers that are accessible from the internet that the organization is not aware of.

[00:07:37] Several of the healthcare breaches that have happened had to deal with healthcare organizations that did migrations. They acquired other providers. And what ended up happening in all the scrambling was there were servers that were accessible from the internet that contain critical data that nobody knew about.

[00:07:54] And because they didn’t know about them, they couldn’t protect them. Patch them or keep them up to date. So that’s [00:08:00] problem one, knowing your assets. And the second problem is targeting users, phishing campaigns, where you’re going in, you’re sending a well-crafted email, getting them to click on it. Nowadays it’s almost too easy. If I send anybody an email with the subject line that says “”coworkers infected with COVID. And I have an email that says five of your coworkers have recently tested positive to COVID. Please click on the link to see if you’ve been in contact with them. It’s a guarantee. I mean, I could [00:08:30] just sit down and give you 30 minutes of security awareness and you’re still clicking on it because we are so concerned about it.

[00:08:36] So phishing attacks against individuals is the other way. To get into the organization and the two big problems that organizations have. One is they still have these strong perimeters and there’s not a lot of internal security. So when the perimeter gets breached, you could move very quickly within the organization.

[00:08:54] The other problem with security is they’re overtaxed, understaffed. They have way too [00:09:00] much technology and it’s generating way too many alerts and there’s not enough staff to respond to it. So with a typical healthcare organization, I worked with, they’re getting 15,000 alerts a day from their security software and their team can only respond to 300.

[00:09:16] If you’re getting 15,000 and only spotting the 300, you’re going to lose. So what I actually did with them which is counterintuitive. I took out half the technology and I downplayed it. So now they’re only getting 300 alerts, but they’re the most [00:09:30] critical, highest priority. Sometimes less is better when you’re understaffed.

[00:09:35] Bill Russell: [00:09:35] All right. So I’m back in the CEO role, I’m investing money. I feel like I’m throwing a ton of money at this. Somebody told me to spend $6 million, I’m spending $6 million. Redo my budget for me. Is it education, prevention, detection? What I hear you saying is we almost have too much technology at this point.

[00:10:00] [00:09:59] Eric Cole: [00:09:59] Yeah. So I would say you’re probably way over on capital expenses and way under on operational. So what I would do is I would say, can I take that 6 million and can I narrow it down to 2 million, but you’ll let me hire six more people. So can I trade in the tech for more people? Cause the problem today is that our technology is not tuned and running correctly and we need more staff that are properly trained.

[00:10:27] Bill Russell: [00:10:27] Great. All right. Well, let’s talk about that. Staff [00:10:30] properly trained. I mean that’s the big challenge. I mean this is one of the hottest areas to be hiring people today. And it’s just hard to, it’s hard to find them. It’s hard to attract them and hire them. Do I get to a point where I’m just saying look I’m just, I’m going to outsource my operating center or my security operation center? I’m going to outsource some of this stuff because I just, I can’t hire fast enough. I can’t get the skill sets. 

[00:10:58] Eric Cole: [00:10:58] So two years ago, I would have [00:11:00] absolutely outsource is the answer. The problem in the last 12 months is outsourcing companies have grown so quickly that they are underperforming on their contracts because they just can’t hire enough people.

[00:11:13] So they have the same problem that you have where they can’t hire enough, so you can outsource it, but you’re not going to get quality folks. So I recommend one of two things, right? Either one it’s better to have one world-class engineer at 300K a year, than three [00:11:30] 100K folks. So you’re going to have to overpay. So it’s better to have that top notch. 

[00:11:35] Or the other one is get creative. And I know what some larger healthcare organizations, HR, isn’t always in allowing this, but go in and find some really top-notch people from colleges and give them a five-year contract saying, listen. I’m going to overpay you. Now you you could probably get a hundred K. I’m going to give you 150, but I’m going to keep it that way for five years. I’m going to spend the [00:12:00] first year training you, but then you have to agree to stay with us for four years.

[00:12:03] And if not, you have to pay us back the money. So to me, you just have to get very creative in investing because otherwise what happens is you get these junior folks. You spend a lot of money training them. They’re worth twice as much. You can’t afford them anymore. And they go to somebody else. So you got to get a little more creative in the hiring process to keep and retain them longer.

[00:12:23] Bill Russell: [00:12:23] All right. I want to go in two directions. One is what kind of training program do I put them on? But I also want to come back to the, to the [00:12:30] outsource SOC. I want to know if I have done that how do I look at it and determine if they’re performing at a level that they should? But let’s stay on the staffing side of it.

[00:12:43] So I love that idea by the way. I mean, so we go, we go to the local college and university and we get top-notch people. What fields should I be getting them out of? If they’re not, are, is it computer science? Is it, or does it not even matter? I’m just going to put them [00:13:00] into a security training program.

[00:13:03] Eric Cole: [00:13:03] Computer science would seem like the most obvious, but when I’m actually finding are even better are analytical type skills. So psychology majors are making really good security operation center analysts, statistical majors, and anybody. That’s all about problem solving. So anyone that understands human nature understands how humans operate and are masters at reading people and [00:13:30] understanding and solving problems.

[00:13:31] That’s who you’re going after. Here’s the part, the technical skills are easy. I can teach anybody the computer science but I can’t teach you the analytical either. You have it, or you don’t. So during the interview process, you want to ask a lot more questions on how do they solve problems? How do they go about when they have a difficult problem they can’t solve?

[00:13:52] What do they do if they get stuck? How often, how long do they give themselves to solve a problem? It’s all that style of [00:14:00] questions, because that’s what you’re looking for in a really good analyst on the security engineer side, then I would recommend once you hire them, you want to send them through some of the standard certifications out there.

[00:14:11] You have your CISP, your certified information systems, security professional. You have your Jack J security essential certification. You have security plus. So I would say plan on. Probably six of the first 12 months, they’re going to be in training that they’re going to be 50% [00:14:30] in training the first year.

[00:14:31] And then the other 50% is really just hands-on. You’re just letting them go in the lab, play around. So you’re going to get a little value, but you’re really not going to get much output until that first year. So after that first year of training, then you’re going to start getting a lot of value. And then by the second year, that’s when sorry, the third year they’re going to be invaluable to you.

[00:14:51] Bill Russell: [00:14:51] All right. Let’s go back to the SOC as well. So I’ve outsourced, let’s assume I’m a CEO again. I’ve outsourced. [00:15:00] How do I determine if they are doing a good job? If they’re meeting the, I mean, it’s more than just contractual obligations. It’s that, they’re. They’re letting me know if I’ve been breached. They’re letting me know if there’s people with activity. I mean, so they’re, they’re on top of things. That’s what I’m paying for. I’m paying for the fact that they’ve done this before. They do it every day. They do for a lot of clients. They have the expertise. How do I make sure that they’re doing [00:15:30] this?

[00:15:31] Eric Cole: [00:15:31] So two important things. One is you must get monthly metrics and reporting from them. Where they’re telling you the number of incidents detected number of response. You need to see the numbers because otherwise no news is good news or no news is bad news. So it’s very hard to tell. So you want to make sure that your security team is getting it.

[00:15:54] It doesn’t have to be complicated four or five metrics on true positives, false positives attacks, [00:16:00] detected remediation measures, but you should be getting some basic metrics from them on a monthly basis. And then the second thing you must do, which they don’t like is you must do unannounced tests of your network to see if they detect it and respond.

[00:16:15] Because most of the security operation center in the contracts that says, if you’re doing a pen test or an ethical hack against the organization, you must give us 24 hours notice well between you and me. That’s the most galactically [00:16:30] stupidest thing on the planet. That’s like saying, if you’re going to Rob my house, you must tell me you’re going to, I mean it’s illogical.

[00:16:37] So I tell companies don’t do that. You should have somebody on your team, or you should have an outsider that once a month unannounced and not on the same day, they just go in and start doing a heavy scan against your network. And then you sit back and you hold your phone and you wait for it to ring.

[00:16:55] And if it doesn’t ring, that should be an immediate problem that something’s going on [00:17:00] because the SOC needs to catch unannounced attacks. Cause that’s how the adversary works. So you need to keep them on their toes. And what I will tell you will happen is if you’re that customer, that they know that you’re testing them, you’re tracking them and you’re watching them.

[00:17:15] You’re going to move to the top and get their really good engineers. The customers that aren’t contacting them. That they don’t hear from for a couple of months that basically are paying them and they don’t care what you do. They fall down the list very quickly and get the [00:17:30] very low end newbies in terms of that. So you have to keep them honest and keep the pressure. 

[00:17:36] Bill Russell: [00:17:36] Yeah. So after our, after the contract I did with the internal auditor, they got in and I sat down with them. I’m like, all right, what are we doing wrong? And one of the things that they flipped in my head was the whole idea of a strong exterior, you’re going to be able to keep them [00:18:00] out. They said, look, assume they’re in. Assume they’re in  because even some of your hacks are coming from your employees, right? They are they’re essentially taking medical records. They’re selling them for various reasons. They can be selling them because they’re getting money for them. They could be doing a lot of different things.

[00:18:17] So I said, let’s stop, but not stop completely, but just. Stop with the emphasis on the exterior and start with the you’re looking for activity  on the [00:18:30] wire. They’re already in assume they’re already in now start to build your security practices as if they’re already in the front door. Is that still the case or is there even a more sophisticated way to look at it at this point?

[00:18:42] Eric Cole: [00:18:42] Yeah, that’s spot on. And it’s funny you say that because actually this morning I gave a presentation to a CIA sorry, CIO council. And the name of my presentation was defending a compromised network. And that’s pretty much the method. The only thing I would add to that is let’s really step [00:19:00] back and say, when does the damage occur?

[00:19:03] The damage occurs typically with the outbound exfiltration. Now, yes you could argue that if somebody is deleting data or ransomware, that could be impactful, but most of the damage are stolen records, confidentiality attacks, which is outbound. So what I would tell a CIO, you need to start with outbound detection.

[00:19:23] If you brought me into your organization and you were concerned about security, the first thing I would start doing is looking at everything [00:19:30] leaving your organization, I’d set up outbound proxies, and I’d start filtering that really tight. Cause once again, everyone’s focused on inbound prevention, but the goal and the way you win this game is outbound detection.

[00:19:43] Bill Russell: [00:19:43] Yeah, so you’re good. All right. You brought, you brought up the word ransomware and it would be it would be criminal for us not to talk about it. There’s been a lot of ransomware in healthcare this year. And even recently post-election, there’s been some ransomware [00:20:00] attacks. What are we not doing well in order to protect ourselves from ransomware at this point? 

[00:20:08] Eric Cole: [00:20:08] To me, what we’re not doing well is we’re not understanding the difference between replication and backup. So I work with a healthcare organization and they said, Eric, we don’t have to worry about ransomware. We have four levels of backup. We are data. Anytime we make a record change, anytime we update it is automatically backed up [00:20:30] the four other servers in real time around the country.

[00:20:33] So our data is good and I stopped him and said, no, you’re replicating your data. So if a server fails, you’re good. If a hard drive fails, you’re good. I said, the problem is you’re confusing, replication and backup. If I come in with one server, that’s replicated four times and I encrypt that data, what’s going to happen.

[00:20:53] It’s going to get replicated to those four. And now within 30 seconds, all four of your servers [00:21:00] all have encrypted data. That’s held ransom and you can’t recover. That’s the problem. It’s not backing up. You still need to do old school, backup the tapes. You still need to back up to offline media. So if your replication gets corrupt, You can still recover the information.

[00:21:17] Bill Russell: [00:21:17] We just – you’re killing me. We just got rid of all that stuff. I mean, we went to this high end. We got rid of the tape robots and the libraries. It was too intensive too crazy. The failure [00:21:30] rate on the tapes over time was bad. We had to store them at Iron Mountain and a bunch of other stuff.

[00:21:35] There was costs associated with that. And now you’re telling me, Hey, let’s go back. Let’s go back to the future. 

[00:21:40] Eric Cole: [00:21:40] Right now, do you think that’s coincidental of why ransomware came out? Attackers ransomware has been known. It’s been known for 20, 30 years, but five, 10 years ago, it was silly to do ransomware because we knew you had everything backed up.

[00:21:55] We knew you had tape and robots and all that stuff. So they didn’t do it. [00:22:00] They waited for healthcare to get rid of all of that go to this high. Replication high availability environment. And that’s the exact reason they know your playbook. They knew you took out the tape backups, and that’s the reason why ransomware is such a hot area of attack because they know it works.

[00:22:20] Bill Russell: [00:22:20] Yeah. Talk about business associates real quick. So one of the challenges in healthcare is we have these business associates under business associate agreements. And these are people [00:22:30] that can handle  this protected data for us on our behalf. And these could be people that are processing payments.

[00:22:37] It could be call centers, could be insurance carriers. It could be a lot of different. We could have, it could be innovators, innovation companies that are innovating on top of some of this data. So we signed these BA’s and we just poke holes into our network to allow information that could be going back and forth. How could we be doing that? [00:23:00] Better. I mean. Almost to a certain extent, the health system now becomes a needs, an audit function. We need to be able to go out to each one of those BA’s the business associates and audit their network and their practices. I mean, do we need to go to that level or is there another way to do this?

[00:23:18] Eric Cole: [00:23:18] To me what we’re doing with a lot of the healthcare clients that we have is with those providers, we’re going to thin clients. So, if you look at the big risk you [00:23:30] have with having a third party or a third party entity accessing your information is they have a lap- a computer with an operating system that operating system can get infected with malware.

[00:23:43] They can then connect to your network, spread that malware very quickly. They can download information to their system and that system can get compromised. So it’s really the end point. That’s that huge exposure point. So by now moving to a thin client and they’re not expensive, that’s the nice [00:24:00] thing you give it to that provider whenever they want to access your information, they turn it on and it goes out to one of your servers.

[00:24:08] And gives them a trusted operating build that it’s patched, it’s up-to-date, it’s secure. They then access your data. There’s no hard drive. So there can’t be malware. They can’t start locally. They do their job that they need to do. You’re monitoring and tracking it. And then when they shut it down, that all goes away.

[00:24:27] And the next time they come in, they get a new operating system. So [00:24:30] we need to get rid of the exposure point of a compromised operating system for three years. And to me, thin clients are a great way of doing that. 

[00:24:38] Bill Russell: [00:24:38] All right, so thin clients. So you’re limiting the porch. You’re limiting a certain access to get through. So you’re not worried about their network being compromised. And actually, let me take this to where I think it’s happening today, which is we pushed all these people to work from home. Right. And it’s fine. I mean, you gave me a company laptop. I brought it home here. It has all the right software and stuff on it but my [00:25:00] kids over here.

[00:25:01] This is a hypothetical by the way, my kids are out of the house, but my kids over here and he’s playing Fortnite and whatnot. He’s hitting these boards at night. He’s compromised our network. He’s compromised, our access point. There just no botnets, you name it on my network. If I’m doing a thin client from my company issued laptop, do I need to be worried about a compromised network on this side?

[00:25:26] Eric Cole: [00:25:26] I mean that’s always a concern, but that’s a much, much [00:25:30] lower threat. And the reason is this, it’s not a compromised network. It’s compromised endpoints because a network is really just the wires and the cable. So your kid’s laptop that were their X-Box or whatever they’re playing Fortnite with that’s compromised, but that is just scanning and looking.

[00:25:49] So if you have a lockdown hardened, Endpoint a thin client. It’s going to be very hard for that to get in. So I would say that’s a very minor issue. [00:26:00] That’s a low probability of success. The bigger issue is without thin clients is you have your work computer at home. That you do all your work on and when you’re busy, you’re going for a jog or at the gym, your kid comes and either surf the web does homework, plays fortnight.

[00:26:17] It gets infected. And now once your computer’s infected, that’s the problem. So it’s really the infection of the computer, not the network that becomes problematic. 

[00:26:27] Bill Russell: [00:26:27] Yeah. I, that makes sense to [00:26:30] me. All right. Let me give you the other thing that I hear from CEOs, or at least you get the sense, which is cyber security is really slowing down our strategy. We have a business strategy that is about digital. It’s about engaging the patients. It’s about remote patient monitoring and all these other things. But every time I turn around, we’re sending a seven page document to every vendor that we’re going to be working with.

[00:26:54] And we’re, and we have to go through this, this long list of [00:27:00] things that needs to be filled out, but then we have this long list of things that we put people through. And so a project. That you think, Hey, we just signed this contract, let’s connect them up. Once it gets to the cybersecurity part of our organization and the it part of our organization, the thing just comes to a screeching halt.

[00:27:18] It feels like, and something that feels to me like should take a week, take six months. What can we do anything about that? Is there a way to keep cyber from slowing us down on the [00:27:30] business strategy side? 

[00:27:32] Eric Cole: [00:27:32] Yeah. So there’s two comments I’d have on that. The first one is, it sounds like you don’t have a true chief information security officer. What happens in a lot of organizations is people view the CISO as a promotional path for a world-class engineer. So you have a world-class security engineer. That’s been at your company for 8,10, or 12 years. And they say, if you don’t give me the CISO title, I’m going to leave.

[00:27:59] And you give them that [00:28:00] CISO title, but they’re not really a CISO. And because they’re super technical and super geeky, they’re going to take six months to cross every T dot every I, and that’s the slowing down process. A good CISO understands the business. They know how you make money. They read the financial statements and they understand that six months is unacceptable.

[00:28:20] So having a true strategic cybersecurity thought leader can speed up that process very quickly. The second thing I would [00:28:30] urge you to do is make sure you’re having accurate data. So you’re saying it’s slowing it down, but do you realize that even if it’s two weeks, if it didn’t take two additional weeks for it to go through security and you got hit with ransomware?

[00:28:45] And that takes you down for two months or three months. Isn’t that better? So you have to recognize that while security is meant to be a business enabler, there’s going to be a small impact for doing security. But if you don’t do security, that’s going to be a [00:29:00] huge impact for not doing it. So the comment I always make is do you want to spend 10,000 extra dollars today on security?

[00:29:09] Or in six or seven months, when you have a breach, do you want to spend eight or $10 million on remediation? So it is going to cost a little bit. I don’t think it has to be to the extreme that you said of six months, but an extra week or two, I think you need to recognize based on the value is worth it, versus the alternative of having a major breach that takes you down for significant longer.

[00:29:30] [00:29:30] Bill Russell: [00:29:30] You made the comment earlier that more than likely my, my network has been breached. Right. If I’m a healthcare system, I’m a target. And we know that they’re targeted because of the FBI warning and the stuff that just went out. So how do I know? I mean, so if a CEO or a board member is listening to this podcast right now, I mean, do they just go into there they’re CISO and say, prove to me that we haven’t been breached proved to me that we’re not currently [00:30:00] breached.

[00:30:00] I mean, how do they, how do they determine that they haven’t been breached? 

[00:30:04] Eric Cole: [00:30:04] And that’s the problem. You can’t. You can prove a negative, you can’t prove a positive. I can go in after you have a breach, I can say, yeah, you’ve been breached, but it’s hard to go in and be totally comprehensive. However, some things you could start doing is one have a security metric.

[00:30:24] You’ve worked in it. Most CEOs have a metric five nines. [00:30:30] The that’s their focus. The board understands it. They understand that their team understands it. If they deliver 99.999% uptime availability, everything is good. The problem is we don’t have those metrics and security. So you need to get a five nines of security.

[00:30:44] You need to get a single metric that your security team is providing you. And where I recommend starting. Is just for a couple of months, have them tell you the number of attempted attacks against your organization on a weekly basis. [00:31:00] Because most CEOs and board of directors don’t realize how bad the problem is when I ask them that question, they go, Eric, it’s probably eight or 10. And I said, what if I told you for your organization, it was 80,000 a day. And they’re like, they have no idea how bad the problem is. So we need to not with FID or emotion, we need to get factual data and start showing them the real data and the real information. The second thing that most organizations do [00:31:30] today is they do traditional incident response.

[00:31:32] Traditional incident response is you sit back and you wait for the smoke. You wait for something visible. The problem is other than ransomware, these attacks are invisible. They’re stealthy, they’re targeted. There’s nothing. So you’re sitting back saying I don’t hear anything. I don’t see anything. We must be good.

[00:31:49] And that’s very dangerous. What I would urge an executive to have their team do is something called proactive incident response, or threat hunting. What if we have people that every [00:32:00] month they aggressively look in the organization for signs of compromise, they’re aggressively going in and looking for problems or issues.

[00:32:08] So you can go in and catch them early. I’m very, very big on overall health. I get my blood work done every quarter, and the reason is simple. If I wait for there to be a visible sign of something wrong with me, it’s usually to a point where it’s really bad or it’s inoperable. So by getting the blood work done every quarter, I’m looking [00:32:30] inside and I’m getting visibility.

[00:32:32] You wouldn’t be able to see externally. That’s what threat hunting is. You need to go in quarterly, aggressively attack your own network. Look for signs of compromise and start getting more visibility into what’s happening. Don’t just sit back and wait for your company to appear on the nightly news that you’ve had a breach.

[00:32:51] Bill Russell: [00:32:51] Wow. Well, you’re you’re I mean, every time we go down this path on [00:33:00] cybersecurity, I am yeah, I understand why CIOs are overwhelmed and why CISOs are overwhelmed. Let’s talk about CISOs for a minute. Because it sounds to me like they’re, they’re the focal point. They’re the quarterback that makes things happen.

[00:33:19] What kind of qualities am I looking for in a CISO? So it, I mean, what, what makes a good one? What’s their background? I mean, did we just make this [00:33:30] title up sort of on the, on the fly and we’re just popping the wrong people into it, or is there a path that you get a really solid foundation for being a security officer?

[00:33:43] Eric Cole: [00:33:43] Yeah. So what makes a really good chief information security officer is they need to be a translator. They need to be very fluent in business. They need to be very fluent in cybersecurity and needed to translate between them. They need to understand the business and how it works, and they need to [00:34:00] understand technology and how it’s implemented.

[00:34:02] The problem that we’ve had is if you go back when the position first came out, like 10 years ago, we put business people in that role. They, they understood the business. They had MBAs, but they didn’t understand cybersecurity. So they couldn’t talk to the team. They didn’t have any respect and that wasn’t successful.

[00:34:22] Then we went the other extreme where we then made it a technical promotional path. Where you take your world class [00:34:30] security engineer and you make them a CISO. So the problem is they don’t understand the business. They don’t know the business, they don’t know how it works. And therefore they’re not very successful.

[00:34:41] I’ll give you an example. I was sitting in a meeting with this brand new CISO that the executives are trying to have me coach, and he just wanted nothing to do with it. He was this world-class engineer that had the CISO title. And he’s in the board meeting and he’s just riffing on technology and the advanced adversaries in it.

[00:35:00] [00:35:00] And he uses geeking out. And finally, one of the board members just go straight. I have one question for you. What business are we in? What is our business? And how do we make money? And I was just like, Oh, the wheels just came up. He had no idea. He couldn’t. Answer the question and that’s the problem. So to me, if you have a CISO in your organization and you want me to assess them, I’m going to assess them with two questions.

[00:35:30] [00:35:30] The first question I’m going to ask them is what is your company’s competitive advantage in the marketplace? And the second question is what is threat hunting? And if you can answer those, that means business technology, and you’re good. If you can answer either one of those, then I know there’s a major problem with that person.

[00:35:50] So to me, the problem with CSO is we had him buried under the CIO for so long that it became a technical position. And now that security [00:36:00] is as mature and rising up to the level of a CIO. They’re not strategic enough and they don’t understand the business. 

[00:36:07] Bill Russell: [00:36:07] Where do they fit in the organization? Are they, there are peer of the CIO that reports into who.

[00:36:13] Eric Cole: [00:36:13] So to me, they need to be a peer of the CIO. So if the CIO is reporting to the CEO and the Cisco needs to report to the CEO, so they need to be at the same level. If your CIO reports to the COO, the chief operating officer, then I would have your CISSO [00:36:30] report to typically your chief financial officer or your chief auditing officer.

[00:36:33] But they’re still at that same level because you have to recognize that uptime, availability, and security. Can sometimes contradict and you need to have an executive that’s equally hearing both sides so they can make the best decision for the company. 

[00:36:48] Bill Russell: [00:36:48] That’s interesting. So we, when I went in to be a CIO for the health system, we actually split out the CISO reported into me. We broke it out. We hired somebody, we actually [00:37:00] gave them the chief security officer title. They did information security. I also did physical security the case that was made and we hired a great person for it. But the case that was made is security is security essentially. And and if somebody is able to walk in the front door, gain access to our systems and all those kinds of things it’s as the same kind of threat is not a worse threat, right. So people can [00:37:30] really do damage if they’re walking in our front doors and gaining access to areas that they shouldn’t get access to. So that person oversaw that. Are you seeing that trend or is that, are those two really kept separate? 

[00:37:42] Now we’re seeing 

[00:37:43] Eric Cole: [00:37:43] that merged together where you have what we call a CSO, a chief security officer that has both IT security and physical security. The only exception to that is where there’s heavy physical components, like utility companies that have nuclear reactors, [00:38:00] where you’re going to have heavy guards and guns and stuff like that.

[00:38:03] That’s going to be kept separate. But in healthcare and banking and retail, where those are pretty close. I mean, it’s not a huge heavy, you don’t have folks running around with automatic weapons and things like that. I would say, yes, you’re merging those together. The other trend, which you might or might not like to hear.

[00:38:22] Cause you’re a previous CIO is CIO’s are all about availability. Security is really three things. It’s [00:38:30] confidentiality, integrity, availability. There’s really three components to it. So what we’re actually seeing some organizations do is making the CISO the top, and then they have a chief confidentiality officer, a chief integrity officer and the chief availability officer, the CIO.

[00:38:45] So we’re actually flipping it where instead of the CSO reporting to the CIO, the CIO is reporting to the CISO. 

[00:38:51] Bill Russell: [00:38:51] Right. But then where does the chief digital officer report in that kind of scenario? 

[00:38:58] Eric Cole: [00:38:58] Typically they would, [00:39:00] they would be that role of the integrity officer because you see that type of officer is really focused on the digital information, the integrity, the accuracy. So that would be sort of that tier under those three. 

[00:39:12] Bill Russell: [00:39:12] So what are the tools of a threat hunter? Just out of curiosity? So you’re saying, Hey, go out and identify the threats. Are there tools that they use for that or is it just, just a human I don’t know, problem solving intuition kind of stuff. 

[00:39:28] Eric Cole: [00:39:28] I would say the key tools [00:39:30] are large amounts of energy drink with high caffeine, no social life, and really, really smart. No, essentially what it is. It’s a lot of network monitoring and analytical. So if we, if we just do the basic breakdown of an attack, I know the unique signatures are different, but almost all attacks. This is what they’re going to do. They’re going to break into a system. They’re going to upload code.

[00:39:57] They’re going to survive a reboot. And they’re going to gain [00:40:00] control of that system known as a pivot point. Then from there, they’re going to do lateral movement into the network to get to the next system. They’re going to do lateral movement until they get to the data. And then once they get to the critical data store or the database they’re then going to make an outbound encrypted command, the control channel back out to the internet, to the adversary to steal the information.

[00:40:19] So when you’re talking about threat hunting, it’s, network-based threat hunting and it’s host based threat hunting. So you’re going to start off with network threat hunting. Well, you’re just going to have a lot of analytical [00:40:30] tools where you’re looking for anomalies. You’re looking for lateral movement between servers that just doesn’t logically make sense.

[00:40:37] And you’re looking for outbound encrypted channels to IP addresses are countries that the traffic normally wouldn’t flow. Then once you see the anomalous network traffic, then you would go in and look at the host and then you would need very good operating system skills to look at that host to say, what is running at startup and looking for any anomalous activity on the host itself.

[00:40:59] Bill Russell: [00:40:59] Well, [00:41:00] Eric, this has been great. So as the CEO is there anything else that I need to know as I go back. To my organization, this assuming you’re talking to a CEO at this point, I’m going to go back and have a conversation with my, with my cyst. So I’m going to have a conversation with my CIO. Anything else I really need to understand?

[00:41:20] Eric Cole: [00:41:20] I would say you need to increase the conversation with your CISO. And make sure that they know what you’re looking for, because what I’ve seen [00:41:30] in most organizations is a CEO reads the news that they talk to their colleagues and they’re concerned about cybersecurity that they are concerned about it.

[00:41:39] So they asked for a briefing from the security team. And it’s a security person. That’s not strategic. And they come in and they geek out and they talk about all this technology and the CEO has no clue. What they’re talking about. The CEO gets frustrated, gives up and never talks to them again. So to me, the CEO needs to have at least monthly [00:42:00] meetings with security.

[00:42:00] It should be 15 minutes. And here’s what the CEO needs to ask for. I want one page and one page only, and four columns. I want to know what are the risks? The likelihood of occurring, the cost of it occurs in the cost to fix it for the top 10 risks for my organization. That’s all I want. I want you to present that to me.

[00:42:19] And I want to do a 15 minute Q and a on a monthly basis. The CEO needs to tell the security folks what they’re looking for, and they need to have regular [00:42:30] interaction with them because the more the CEO understands high level, the better they will be able to support the security team and budgeting and resources.

[00:42:38] Bill Russell: [00:42:38] So we had a subcommittee of the board that we had to meet with every time they got together and the chief security officer and myself would go and present to them. One of the odd things about that, to be honest with you is I would say two thirds of the meeting. We were doing education. We were trying to bring them up to speed on what was going on.

[00:42:58] We were sharing articles [00:43:00] with them. We were sharing stories with them. And to be honest with you, I’m not even sure they knew what questions to ask us. Does that same format work for a board? 

[00:43:10] Eric Cole: [00:43:10] Yes because when you really look at it and I present to a lot of boards and sit on a lot of boards and work with a lot of CEOs. Essentially they care about the financial success of the company. So what they really want to know are what are the security risks at a high level in English? Likelihood of occurring cost. If it occurs and cost to [00:43:30] fix it, that’s what they care about. And if you do that correctly, that will be educational because you will be teaching them about new threats that are out there.

[00:43:38] But notice all it’s focusing on is the financial impact to the business. And that’s what boards care about. The problem is way too many security people and even CISOs get into too much detail. About attack vectors, how they work and how they operate and the board doesn’t care about that. That’s what they’re hiring you for.

[00:43:54] They want to know financial impact, keep it clean, keep it simple. And you’ll notice a [00:44:00] lot of effective communication. When you’re speaking the language of the executives. 

[00:44:03] Bill Russell: [00:44:03] Do I need to have somebody on my board who really understands cybersecurity? 

[00:44:11] Eric Cole: [00:44:11] I am finding that it’s helpful. So I sit on one two,. I just got two more. So I sit on seven boards and the way it works is before the quarterly board meeting, usually a week or two before I’ll have a 90 minute meeting with the security [00:44:30] team and I’ll go geek out. I’ll ask. So I’ll get all the information, I’ll get all the details and then I’ll tell them, this is what you need to present.

[00:44:37] And we’ll knock. They usually come to me with about 20 slides and I whittle it down to three or four and then they go in and they just whittle it down to the high level information they need. And about a 10, 15 minute presentation, we then go to the board meeting. They give a high level presentation. And I look at the rest of the board saying I met with them in detail.

[00:44:57] I vetted and validated this information. [00:45:00] I feel that these are the two concerns that I have that you should be aware of. This is what we should do. Do you have any other questions? They ask a few questions of me. They trust me. So they know that I did the due diligence. And to me that tends to work a lot better than trying to cover all the security that’s needed in front of all the board members, because it takes too long and they don’t care.

[00:45:21] Bill Russell: [00:45:21] So true. So Eric, great to close this out. Tell us about Secure Anchor consulting and how [00:45:30] can they find out more information about what  you do and what your organization does. 

[00:45:35] Eric Cole: [00:45:35] So Secure Anchor we’re focused on helping organizations build effective strategies, train up CISOs and help organizations be properly secure against the attacks. I’m very active on social. So if you go to D R E R I C C O L E on any social media platform, I actually have a weekly show on YouTube called life of a Cisco. Where I go into a lot of these details every [00:46:00] week. And then if you’re interested in my company, it’s, we have a website. And if you’d like to set up a consultation with me, you can also email me [email protected]

[00:46:13] Bill Russell: [00:46:13] Fantastic. Well, Eric, thank you. Thank you again for your time. We’ll have to we’ll have to stay in touch as things progress. It seems like this space is just constantly. Constantly evolving the,, I guess the [00:46:30] more things change, the more things stay the same because ransomware has been around for a while. The attacks don’t seem to be getting all that much more sophisticated. But it’s just constant. It’s just always there. 

[00:46:41] Eric Cole: [00:46:41] Yep. I’ll just leave you with the final thought is to me, what I’ve seen in the last two years is the attacks have been getting less sophisticated because organizations are so reliant on technology. They’re getting more sloppy.

[00:46:54] Bill Russell: [00:46:54] Amazing. Well Eric thanks again. I appreciate it. 

[00:46:57] Eric Cole: [00:46:57] My pleasure. Thanks Bill.

[00:46:58]Bill Russell: [00:46:58] What a great [00:47:00] discussion. If you know someone that might benefit from our channel from these kinds of discussions, please forward them a note. They can subscribe on our website or you can go to wherever you listen to podcasts, Apple, Google, Overcast, that’s what I use. Spotify, Stitcher. We’re out there. You can find us. Go ahead, subscribe today or send a note to someone and have them subscribe. We want to thank our channel sponsors who are investing in our mission to develop the next generation of health IT leaders. Those are VMware, Hill-Rom and Starbridge Advisors. [00:47:30] Thanks for listening. That’s all for now.