COVID-19 has disrupted many aspects of the ways in which government operates, and one major change that agencies must address are the new ways in which threat actors use this time of change and uncertainty to their advantage. In order to scale defenses rapidly to protect themselves in this post-COVID cyber threat landscape, agencies should adopt a strategy of collective defense.
On behalf of Iron Net Cybersecurity, AWS, and Carahsoft we would like to welcome you to today's podcast, focused around protecting your network in the post-COVID environment. New threats and new approaches to collective defense in the cloud where Mike Ehrlich, CTO at IronNet, John Ford, cybersecurity strategist at IronNet, and Tim Rains, regional leader at AWS will discuss how a collective defense strategy in the cloud can help federal agencies scale their defenses rapidly, to detect and share across sectors, and identify new threats.
Today, obviously we'll be talking of the post-COVID environment. The new threats, the new approaches to those threats and protecting yourself, your agencies, your company in this new environment. We have a great presentation set up for you guys today. We'll be having a sort of guided conversation, led by Mike Ehrlich, currently the CTO at IronNet Cyber Security. Mike brings two decades of experience in cyber security having been a senior engineer with the US Department of Defense, a director of Black Burn Technologies, the President of Critical Mission Engineering, LLC, as well as the VP of product operations and now CTO at IronNet Cyber Security.
He is joined by John Ford, a cybersecurity strategist with IronNet Cyber Security. Prior to coming to IronNet, John Ford was a [inaudible 00:01:20] at Connect Wide, was the principle and founder of Seana Group, and also was the ISO and VP for Privacy at Well Care Solutions, a healthcare provider. Then last, but certainly not least is Tim Rains, who is a regional leader in security and compliance and business acceleration with AWS. Where he's been for three years. Prior to that, he was the executive director of cybersecurity strategy at Las Vegas Stance Corporation, and for almost two decades was a director and a chief security advisor at Microsoft.
Mike Ehrlich: I think one of the things I would like to talk about right off the bat. The title of this talk today is talking about the post-COVID environment. I don't believe we're in the post-COVID environment yet. I think we are in the COVID environment. We are still struggling with that virus fundamentally changing the way people and organizations act. Fundamentally in many respects changing, not just cybersecurity practices, right, but all sorts of practices in our daily lives.
I count myself, my wife and my daughter as three fortunate victims, if you will, of COVID. We've all had it. And we've recovered quite well. My heart goes out to those that are still struggling with it today, but as I said, COVID has effected virtually every aspect of our lives, and so I'd like to toss this over to John and Tim, perhaps even in that order.
John, you've got a great background as an ISO at some very interesting organizations. Can you give me your thoughts on what you've seen from your view, on what's new and different in this COVID environment?
John Ford: Yeah, thanks Mike. Welcome everybody, and thank you for taking the time. Michael, you set it up perfectly, this has effected every aspect of our lives, every aspect of our working lives, right? As you know, as we've been going around the world talking to customers virtually, I think what's really ringing true, and surprising to me, is both velocity and volume of attacks that are hitting companies, and how fast our adversaries, whether they be nation, states, cartels, attack groups, what have you, how rapidly they pivoted to executing a tax on organizations on both sides.
I think as we look at how companies are trying to operate today, just to give you a non cybersecurity example. If you were to go out and try to buy an appliance today, you might be surprised to find that some of them are on indefinite back order because basically the supply chains that create those appliances, they shut down, and nobody really keeps inventory anymore. When we think about that from a cybersecurity perspective, we always had organizations that were able to maintain a certain posture, based upon the resources that we provided, right? But nothing much more than that. And that's fine.
What we're seeing today is the inability of firms, given this increase in velocity and volume, is really to make use of the threat information that they normally would be able to make use of, and it's almost like having a very bad signal to noise ratio. They're dealing with what we used to say is 80% trusted networks and 20% untrusted. We basically flipped that on its head and so has our entire supply chain. This is really a challenging environment. One that really nobody that's in cybersecurity has really gone through before, but we're going to learn a lot so I think... I'm an optimist so I think at the end there's going to be some really good practices and processes that come out of this.
Mike Ehrlich: Yeah. Thanks. That's an interesting observation, that the secured versus unsecured network operations for most companies now. I look at myself today, and while I am operating on a work computer, that work computer is not sitting at work, right? It's sitting at... Well I wish it was sitting at Starbucks, but things like that are closed. Perhaps some of you are lucky enough that they aren't, but right now I'm sitting on my home network, and certainly my home network, believe it or not, in my background, is not as well defended as many corporate networks, right? So you have this mix, like you said, of what you hope to be secure assets operating on insecure networks, connected to what you hope are, again, secure assets.
It's really interesting, we understand how the attacker, like you mentioned John, has pivoted. They're taking every advantage they can with COVID, whether it's fishing or disinformation to really disrupt our operations. Tim, you sit there at AWS. You host many huge organizations' infrastructure, and I'm curious of your perspective on how since COVID threats have changed, either to the organizations that you host or even to your own infrastructure at AWS?
Tim Rains: Well, certainly we've seen a big shift since March, when COVID started to really interrupt the economy operations of so many organizations in the public sector. We saw a big shift across the board with digital transformation projects, and customers in public sector organizations trying to accelerate those. That drove a bunch of changes that we haven't seen happen so rapidly in the past. For instance, in education, suddenly teachers and students and parents needed a clear place to collaborate so there was a scramble to find that.
In, for instance, financial services, regulators suddenly saw two to three times the volume of security's trading in the United States so how do they keep up with the volume of that? And make sure that they're actually providing oversight properly? In every single vertical we saw an uptake of cloud-based video conferencing. With all of these behavioral changes and the infrastructure required to support those changes, [inaudible 00:09:21] bad guys will follow you wherever it goes. Clearly we suddenly saw a big shift with all sorts of phishing attacks, related to COVID, trying to get people's attention, trying to get them to click on malicious links, trying to get them to open up malicious attachments and so on. I think that's all fairly predictable, but as you mentioned earlier, people now are all working from home, it's remote work, and the devices that they're working on, that's where the action is.
How do we take the best of what we offer, and try to collectively understand what those threats look like? And collectively, sort of inoculate everybody at once, because doing it sort of a piecemeal fashion, sort of organization by organization trying to do this themselves, and suddenly they've gone from fairly centralized operations to distributed operations, it's super hard. A form of collective defense, I think is very helpful in an environment like that.
Mike Ehrlich: It's interesting, there are thousands of organizations out there that have spent years putting in place plans to [inaudible 00:10:43] resiliency of their operations, and redundancy of their operations, and typically, at least the ones that I've seen put those in place, those are in response to what I would call physical, natural disasters, right? A huge storm comes in and power is out for a long time or there is an earthquake or an explosion happens at a refinery. How do I do that?
It almost feels like we, the US, just the world in general, have missed an opportunity to plan for resiliency and redundancy when something like this happens. When almost 100% of the workforce, that can work from home, all of a sudden works from home. I don't think anyone planned for that. We've been thrown into this world where the few security resources we had in the past, that were already focused on plans for defending my own organization, given the laws around it that I control, those same people are now forced, as you said, to start adopting new cloud technologies for services out to a wider spread population, and now also in charge of somehow securing all of those little devices, right? That we can operate on when we're in the freedom of home.
I can go from my iPad to my laptop. If we compare that to the response to the COVID virus, there are a lot of similarities, right? The COVID virus, it doesn't care who you are. It doesn't care what country you're in. It is propagating around the world in a relative, uncontrolled fashion. It took us probably longer than it should have to recognize the fact that it was there, and operating in our environment. Now that I'm saying these words, think to any malware, think to any attacker, the cybersecurity corollary to that.
When we found it, we did not have a good group response. The US struggled with response, many countries struggled with response. Large organizations struggled. If I continue that analogy, I go to what we now all call Operation Warp Speed, right? Which was a government initiative that is ongoing now to bring private industry, private healthcare providers, private pharmaceutical providers and to get them communicating and working together with the public, with the public sector and in this public-private partnership to accelerate countermeasures for something we all needed defended, right?
That example, where we were very quickly able to stand on this, I will call it collective dispense for COVID capability, it seems that there is lessons there that can apply to cybersecurity. Using that sort of public-private partnership, I was [inaudible 00:14:02] John. He talked to us a little bit about you've seen private-public partnerships respond to COVID, specifically to cybersecurity, and to how we can use this concept of collective defense just to make everyone better, and make everyone safer.
John Ford: Yeah, Michael, and first, if it makes sense, let me kind of talk to what we believe collective defense is. We look at that as a series of technical capabilities that can accelerate the discovery of new threats, right? And we do that through things like detection, correlation, sharing in realtime, of like anonymous information, right? The outcome of that is a [inaudible 00:14:49] and situational awareness of how we can respond to new threats. We're not talking about old threats. With respect to Operation Warp Speed, which is like a perfect example, what we're witnessing is this capability developing between the public and private sector because as we know, those life sciences organizations, their entire supply chains are heavily under attack today.
I think would this have evolved on its own? We think so, right? We've been preaching this model for several years, but sometimes it takes a good pandemic to get something like this accomplished. Operation Warp Speed is not alone. When we think about the critical infrastructure environment, within the United States, when we think about what that looks like for other countries, our allies, right, and their respective governments, we all have the ability to benefit from a partnership, a public-private sector partnership like this, where information that wouldn't normally be known in the public sector, they can take advantage of.
In a sense we also know that campaigns are not limited to company, sectors or even nations, right? Attack campaigns can go across sectors. The ability to have this early warning system, as well as the ability, in our case with Operation Warp Speed, I'm fairly certain that [inaudible 00:16:31] benefit that's going to come out of this is our government seeing the absolute types of attacks that are being implicated on some of these private sector companies, right? Just like our Constitution defines where the role of the government is to help in our protection, I think that this is going to create an irreversible trend, where we will work much more closely with the public-private sector partnerships.
Mike Ehrlich: I started off by saying public-private partnerships, but clearly one of the hallmarks of Project Warp Speed is that the companies themselves are working together. It's not necessarily that every participant is talking to the government, independently. It's really a collaborative environment, where the government is an important stakeholder, right, but not the only stakeholder. If we extend that to cybersecurity, I think the things that come to mind or the ISATs, right? They are not inherently governmental, they are tied to the government, but it's really this group of companies that have come together to jointly defend. When we're talking about collective defense, I think John, I think you're talking about collective defense as sort of the next step. Moving beyond traditional threat sharing to figure out better ways to address the threat. Is that fair?
John Ford: Yeah. And more so, as we know collective defense is part of an evolution, right? Legacy, there's nothing wrong with what we had up until today, right? The information is still useful. The challenge in the past though is we shared threat information, but it was left up to the individual organization to do what they do with that. There was no sharing beyond that. When we look at collective defense, we're taking that to another level, but we're also taking it to a level in real time, which is also an improvement or an evolution of those legacy models.
Mike Ehrlich: Yeah. In talking about things like that, about actually applying threat intelligence or just applying knowledge, in general, that an organization has learned, it seems to me, and I'll direct this at Tim, that a platform, I'll call it a platform, but AWS, right, where you host so many different applications that organizations use. Where you host operational infrastructure for those organizations. It just seems to me that there is a tremendous opportunity that AWS has to help the cyber security world. Not only using your platform to correlate data, but absolutely using your services to help drive options to the best practices, drive [inaudible 00:19:44] Can you talk a little bit about how AWS is playing in that game?
Tim Rains: Sure. I mean compared to what we've seen happening on prem over the last 20 years, the cloud represents a clear opportunity to modernize our approach to cybersecurity. Besides the economic advantages of the cloud, and scalability and agility, and all of the reasons businesses and public sector organizations come to the cloud, there's two sort of game changers in my mind. [inaudible 00:20:19] professionals. One, the cloud is API driven so everything is an API [inaudible 00:20:27] From a security and compliance perspective, all we have to do is log those API calls, and watch them kind of in realtime, and we can identify indicators of compromise, we can use threat intel, both from AWS security, as well as our partners to identify what's going on inside of AWS. [inaudible 00:20:45]
Then the other game changer is automation. Can we do incident response, based on what we're seeing in those APIs in near real time? Between those two things, you could have really high levels of automation. You can get people away from data because attackers are both trying to leverage technology, as well as people. If you get people away from the data, it has security and privacy benefits. You automate as much of that as possible so that you get people out of the data business, you enable them with APIs. The things they can do are limited to what the APIs enable them to do. Then you can start to marry that kind of model together with threat intel, and this notion of collective defense. Where, for instance, we've got our guard duty service, which looks at the API calls I talked about. Those are cloud trail logs. All the API calls get logged in cloud trail, it uses DNS inquiry, that uses virtual private cloud net flow data, and then it uses machine learning and artificial intelligence to [inaudible 00:21:53] data in near real time.
Then it applies the threat intel from AWS partners to try to understand what's really happening there in all of that data. The only way that's even possible is if you have the AI ML storage, API calls on everything happening because everything has to go through an API call. That's only possible in the cloud. Marrying that with the threat intel [inaudible 00:22:22] We think is a very powerful model.
Mike Ehrlich: Sure. I'm curious, you mentioned earlier today that you've seen changes since March, where more organizations are opting cloud-based services, and even accelerating the push to have their infrastructure within public cloud, right? Within AWS, which is all good for you, because in fact your title is accelerator for cloud adoption and security, right? That's all good. I was wondering if you can characterize sort of the split? However you want to characterize it. In what sort of industries or what areas of [inaudible 00:23:12] are actually accelerating, and for organizations that are moving more rapidly on the cloud, how many of those are actually taking advantage of security tools in that infrastructure? Going to the cloud and not taking advantage of everything is like going to New York City with blinders on and not eating at a restaurant or seeing a show, right?
How many are actually partaking in that full experience?
Tim Rains: Right. I think what we're seeing is transformations in every vertical of the public sector. When you think of education, healthcare, research, you look at energy in some countries, you look at regulation and regulators, you look at federal government, state, local government, we're seeing adoption across the board to support going digital transformation projects or in some countries they're just kicking them off now. We're seeing across the board updates. There is definitely a maturity curve though, in terms of how much security goodness they are using. I'll use, for instance, I've seen a lot of different theory strategies used over the years. There's a lot of organizations that might have a security strategy that they've built on premise, and their first notion, when they first start considering the cloud is to lift and shift that into the cloud, and do more of the same in the cloud.
There is advantages to that because they have to leverage the collaboral knowledge and the expertise which they've built inside the organization. To some extent they have to continue to do that, but the curve kind of goes from the old-fashioned strategies that we've seen on prem to the newer strategies, like zero trust and DIP pipeline, dev ops. So moving from a world where you're trying to protect things on prem, using multiple different strategies to a world where the only way things get into production is through a continuous integration, continuous deployment pipeline, and in that pipeline you're checking for requirements at every step of the way so that you know when things get into production, they absolutely meet your security and compliance requirements. Then you can use some of those new technologies to make sure that they stay that way.
Then the most mature organizations that I've talked to use short-lived environments. Instead of like on prem, where you have servers that are running for years at a time with these really, really longterm credentials, that ultimately get leaked, or stolen or whatever. To environments that run for a couple of hours. Then you blow them away, and new environments get deployed through the [inaudible 00:26:04] pipeline by for instance, auto scaling, which is automatically deploying new instances, and those instances are based on the [inaudible 00:26:13] That gold image is the thing that you keep up to date, the thing that you keep [inaudible 00:26:18] the thing that you scan for vulnerabilities and misconfigurations and so on. Instead of having to scan thousands of systems, patch and reboot them, you're really simplifying task management, and just focused on a single image for a group of images, everything goes into production already [inaudible 00:26:36]
And every couple of hours it gets blown away so that even if bad guys get onto those systems, they only have a couple of hours access to them. This type of maturity from lifting and shifting to embracing native cloud features to real [inaudible 00:26:52] is sort of a journey for a lot of customers I talk to.
Mike Ehrlich: Yeah. It's interesting. I think one of the, when you talk about cyber maturity, there will always be companies, organizations, government agencies, however you want to define the groupings, that are less mature than others. That's always going to be the case. I think a lot of the cloud technology perhaps raised the mark in how good the worst cybersecurity agencies are.
Tim Rains: We call it a cybersecurity talent amplifier because you know that cybersecurity talent has been so hard to attract and retain in this industry for a decade now so if you can use something like the cloud to amplify the talent you have, it makes your cybersecurity team much bigger than what you had on prem.
Mike Ehrlich: Yeah. Talking about that talent amplification, I think one of the hallmarks of collective defense, and one of the tenants of collective defense when I talked about it, I think of the greatest among us helping the least among us. Where the [inaudible 00:28:12] analytic resources, the best people in the world at analyzing cyber threats, aren't necessarily, they may work for one organization, but they're expertise impacts hundreds or thousands of organizations, almost in real time.
I'd ask John, John, you talk a little bit about your definition of collective defense, and I've just given you one of the things that I think is very important. That real time sharing of knowledge, where the best help defend the least. Are there some other visionary things where you think collective defense can get to?
John Ford: Yeah. Mike, you hit on a big one. I look at collective defenses as a force multiplier. Where as a former CSO, you're constrained by budget. You have constraints, there's no doubt about it, right? You might be constrained by your talent, right? I think that one of the key benefits of collective defense is exactly that, is getting this force multiplied talent in real time out there, that educates people almost in real time as well. If you look at [inaudible 00:29:36] it's almost a similar premise. Bug Bounty programs are wonderful because you have these researchers, which is the common term for them, but these researchers out there, and they're trying to find vulnerabilities in these products, but they don't work for you.
They end up getting little stars and badges along the way, as well as money, but they become known. In a collective defense model, we can have that same thing. Look, not all of our resources are having the best day, and maybe a best analyst is often [inaudible 00:30:15] To me, that's a huge concept of getting that force multiplier, getting that collective knowledge, and increase in education. All of that is very, very repeatable, and scalable. That's definitely a key component, as far as I'm concerned, and one that I wish when I was a CSO, if I had that type of capability, I would have jumped all over it, for sure.
I think the other thing too, like is getting through another key benefit of collective defense is really getting rid of the garbage, right? I was talking to a large health plan yesterday, and their threat intel analysts at their lead told me, he said, "John, if I could just get rid of all of this noise that's coming our way. We don't have a really good way of getting rid of things that might just be false positives. We're inundated." I think another great side benefit of collective defense is getting rid of that garbage, right? You can see what everybody is doing, and how everybody feels about this, and you can begin between that and the automation that comes along with, you can actually trim that noise down to something that's actionable because at the end of the day, these people want to contribute, they want to do good things, but they have to have actionable data to work on. To me, I think those two items are pretty big.
Mike Ehrlich: Yeah. All great points, John. One of the things that, again, I spent a lot of time thinking about collective defense, and you're exactly right, right? It's trying to get some of the best analysts to get that knowledge disseminated as quickly as possible. I think one of the things for folks that I've talked to, that are participating in collective defense, at least with Iron Net, is that they have been really helped by understanding the concepts of their environment, as it relates to perhaps their supply chain or their region or their sector. What I mean by that is we have found that given the knowledge that cyber activity that I see in my network is also going on in one or two or three other organizations because we have aggregated and analyzed that data.
It has started driving stock operations so that if I have an analyst that's looking for a new challenge to dig into, I can say, "Hey, here are two things that are potentially equally important to my organization. This one here seems to be effecting just me, but because of the information from the collective, information that has been provided, that everyone can see now, I know that this activity over here is also prevalent in two or three or four organizations," and it turns out I have the right guy to look into it. If I look into that one, I will help. I will be part of the greater good, and so I've started to see folks that are working with our collective defense platform, start driving stock analyst's operations based on that situational awareness view. Based on the fact that I now know that things are going on in other companies, other organizations, other governments in my supply chain, that prior to this sort of platform, to this capability, I never would have known.
What's the point of having five analysts triaging the exact same thing at the exact same time? Maybe if we work together we can just have one triaging it. I think that also points back to Tim, to AWS, right? Iron Net is a small company. It's a couple hundred people, a couple dozen customers that we are providing this sort of collective defense for. Actually for those that are viewing it, we're actually going to get into a demo of what that platform looks like, and what it means for our users, but it strikes me, Tim, that AWS, I'll just say public cloud infrastructure, right? You're not the only ones, probably the biggest, but not the only ones.
That you have a huge roll, and it's not just in, again, not just in the platform, but it's in the trust you have with companies, right? That you built that allows them to make the leap, which was once unheard of. "I'm going to take all my operations and put it in a data center that I don't control, on servers that I don't even know what they are." That was a huge leap, but I think there's been a change in trust that enables AWS to be successful, honestly, and I think that trust is going to extend to providing cybersecurity solutions, and teaming with small companies, like ours to provide new solutions.
It wasn't really a question in there, but I'm curious, Tim, you've heard myself and John talk a little bit about collective defense. Where do you see AWS helping in that journey?
Tim Rains: When I look at collective defense, and how it operates from an [inaudible 00:36:14] perspective, I think the things that you're doing that earn trust amongst your customers, for instance, the automatization of the data because we know that people are willing to share data, but they don't want to necessarily share insights into what's happening in their environment because that can have all sorts of negative consequences for them. That's why at AWS, we can see what's happening inside of an account. We give the customers the tools, both regional tools and global tools to give them insight into what's happening into their account.
Now from a big network perspective, [inaudible 00:36:53] big network perspective, that when we see an indicator of compromise, we will contact customers and let them know what we can, but inside that account, that's really a place for customers to do their thing, to use our tools, and to leverage Iron Net, and tools like Iron Net. The thing that underpins all that, as you mentioned, is trust. Trust is a combination of transparency, and I think the automatization of data is a key to that. Being able to share with people what's happening in a geography or what's happening in an industry, without revealing who is providing that data within that geography and that industry is pretty key.
From an AWS perspective, we take privacy and that transparency very, very seriously. That's, for us, because we don't have insight into what's happening into an account, and that's why we're providing these tools, and getting partners to provide threat intel to help our customers understand what's happening inside their accounts, and that's what makes partnerships with partners like you so important because we need those insights you're getting from the industry verticals and from the geographies and so on. That stuff is gold to us when it comes to threat intel, and then enabling automation to recognize what's happening and take action. That's key. It really is.
Mike Ehrlich: Let me talk a little bit about where we are on the collective defense journey right now. As you can probably tell, you've been an attentive listener, one of the core mission areas Iron Net focuses on is this concept of collective defense, and we do in fact have a platform that realizes some, not all of the benefits that could be had, but realizes some of the benefits that could be had when you decide to take this collective defense strategy, if you will, and operationalize it.
One of the interesting parts about what we've done is when folks deploy our platform, the data, as Tim mentioned, and thank you for bringing that up Tim, we push data to this platform. Again, we host in AWS. We take advantage of all of their security and privacy controls, but we push anonymized data up into AWS and we aggregate that data, and we analyze across that data set, from multiple organizations. I'll give you a great example.
The very first group that we had do this, because we are very fortunate to have seven of the 10 largest electric utilities in the US, as customers within Iron Dome, that forms our energy Iron Dome if you are, at least the core of that dome, and they have all agreed to share cyber-related data at a speed and scale that they had never done before so that we can aggregate that data, anonymously, and draw insights from that. What they found is that since the data is largely their data set, everything they learn is relevant to them.
It's not a feed of 4000 threat indicators a day, that may or may not ever be seen on the network. Everything is very intimate, if you will, to their environment. The other interesting point about that is that they actually pushed us to provide that level of visibility to the US government because they wanted to enable the government to have an anonymized view into their portion of critical infrastructure so we struck up a program with DHS, where we are providing the source of correlations and on an anonymized basis can't be tracked back to any particular utility, any particular company that gives now the government the DHS insights into behaviors, into campaigns that are traversing these different critical infrastructure sectors.
With that, first of all, I would like to thank everybody that attended for listening to us. I hope you've gotten something out of it. I hope your understanding of [inaudible 00:41:28] has grown a little bit. When we're talking about collective defense, I think the things to keep in mind are that if you decide to participate in Iron Net's version of collective defense, I'm not sure if there's any others out there that [inaudible 00:41:43], but the real drivers are much greater situational awareness, of you and your community. It is absolutely a force multiplier for stocks by sharing investigations and analysis in real time amongst organizations.
There's an element of real time collaboration built into this. Finally, we didn't touch on this much, but one of the most critical aspects of collective defense is that it really does drive discovery of new attacks, and new attack infrastructure in a way that everybody operated alone, right, if everyone was a tree, you may never see that forest. We are really helping identify the forest, and identifying the thing sweeping through that forest, that only a collective picture and aggregation of data can provide.
Again, I'd like to thank you for your time.
Thanks for listening. If you would like more information on how Carahsoft, Iron Net Cyber Security or AWS can assist your federal agency, please visit: WWW.Carahsoft.Com or email us at ironnetmarketing@carahsoft.comor awsmarketing@carahsoft.com. Thanks again for listening, and have a great day.