Challenge Accepted is a podcast from Arctic Wolf that has informative and insightful discussions around the real-world challenges organisations face on their security journey.
Hosted by Arctic Wolf’s VP of Strategy Ian McShane and Chief Information Security Officer (CISO) Adam Marrè, the duo draw upon their years of security operations experience to share their thoughts and opinions on issues facing today’s security leaders.
In this episode, our two hosts take a “hot take coffee break” discuss the recent Microsoft email breach and the subsequent announcement of logging changes, the challenges associated with new SEC reporting regulations, and discuss how nation states still use “basic” attack techniques and how organisation can protect themselves.
Ian McShane 0:00
Hi everyone, my name is Ian McShane. I’m VP of Strategy here at Arctic Wolf and welcome to the Challenge Accepted podcast the “Hot Take Coffee Break” edition where we talk about all things security.
Adam Marrè 0:21
And hi, I’m Adam Marrè, CISO of Arctic Wolf. So whether you’re a beginner or an experienced security professional, we hope you’ll join us in our “Hot Take Coffee Break” edition as we talk about some of the latest news and things that we’re reacting to in the security world. Anyway, what do we want to we want to talk about today?
Ian McShane 0:39
Yeah, so you added a bunch of things. I’ve been really slacking, I only added one thing, really. And if there’s anything interesting to say about Black Hat, but I figured that’s gonna be the next thing on the agenda for for most folks.
Adam Marrè 0:49
Yeah, probably nothing. Are you going?
Ian McShane 0:51
Yeah. I see you’re speaking.
Adam Marrè 0:55
Yeah I’m doing the speaking thing, I did something different this time. But yeah, the stuff that I put up to talk about is, so I mean, the big thing right now with the Microsoft email breach, and now they just announced that they’re going to open up this logging. I do remember that back in the day, so that’s really good. That’s a good place to start.
Ian McShane 1:22
Because I think that’s a great place to start, like talking about the logging, because one of the things I’ve complained about Microsoft, one thing that annoyed me about Microsoft for years, almost since they started having security controls, is that it felt like nothing was secure by default, like you had to jump through hoops to get security enabled.
And now, 10 years ago, 15 years ago, I can understand people didn’t know what they were doing. And you probably leave things turned off, for the sake of not screwing up someone’s environment. But it feels like there are so many hoops to go through to get these things turned on. And so does this mean that the logging is going to be available to everyone by default? Or are they going to have to go in? I’m assuming they don’t have to upgrade to bloody five or something.
Adam Marrè 2:08
Yeah, so my history with this is, as an FBI agent, as an investigator, we would go into companies that had been breached. And they were just unaware that they didn’t have to log on. And most of these were small, medium businesses, some maybe smaller enterprises. And they were just unaware that they didn’t have the logging they should have, and they figured they should have it. But at least at the time, Microsoft was saving 30 to 90 days for that, so that they could then come and buy it, which seemed a bit exploitative.
Ian McShane 2:43
Yeah, ‘oh, you’ve been breached. So you need to you need to buy some more storage from us to do that investigation.’
Adam Marrè 2:48
Yes, putting my kindness hat on I guess you can also see it as like, ‘hey, at least you can buy and it wasn’t just turned off, because you elected not to buy this product, it cost us money to deliver.’
I’m trying not to be too cruel about it. But 100%, I believe, for a very, very long time, that basic security features should not be a selling point, it should not be an additional fee, it should just be part of it. And we’re talking SSO, talking MFA, all of that. But there are many companies still today. I mean, there’s that, website of shame, I forget what it is. But there is one that says, if they charge for MFA, I believe that it’s a little murkier when it comes to logging, because the storage of the logging is costing the providers of things.
I just think a basic level of logging should be included no matter what licenses, it should just be part of it, if we got to put it in the prices, put it in the price, whatever it is. But I really do like to see, as a result of some public shaming, apparently, that I really do like to see that Microsoft is now going to put this logging into their lower tier or whatever I mean.
Ian McShane 4:00
Yeah, you’re definitely right, I think there’s, there’s elements of gatekeeping still, and one of the things, I mean, putting my capitalist hat on, though, just thinking about how we sell products at Arctic Wolf, and how other security vendors sell products, you have things that you charge for when they are cutting edge, they eventually become commodity, right, they end up being just part of what you do.
And that’s one of the things I have yet to see Microsoft do with security is take the security controls and just move them downstream. Like instead of moving, instead of creating ie seven, for example, move some of the stuff out of V five into E three as it becomes more mature things like actually, what, I haven’t looked at the E three and E five entitlements for a long time.
But the things you said like SSO and all of those things and some of the more cloud-based as your AD onr whatever they’re calling it now because they just changed the name, but the configuration things in there that aren’t available unless you upgrade to E five you know. It was like, there’s always been a level of gatekeeping. It’s characteristic of some security vendors. But I think it feels like Microsoft should almost know better or do better.
Adam Marrè 5:10
Yeah, absolutely. And speaking of cutting edge, I would just hope that companies like Microsoft, whose very good at security, and has always been on the bleeding edge of it would offer some of these things as basic packages for their customers to allow them to have just the minimum level of security, which includes logging SSL.
Ian McShane 5:33
Good enough security? Yeah, exactly.
Adam Marrè 5:37
The fact that it came up in this instance. So to be clear, the specific issue we’re talking about was the breach of the non-classified Microsoft email system.
Ian McShane 5:53
I was gonna ask if it was related to that. Yeah, I was gonna ask, is it related to that certificate? Credential stealing?
Adam Marrè 5:59
Correct. I think that is the specific issue. Well, that’s where like the public shaming came in? Because I’m assuming, and I don’t have the specific details, but from what I’ve read in the articles that I’ve seen, apparently it looks like, I don’t know what part of the government or the department didn’t have the login paid for. So they had to ask for it and get it and then use it. And then it kind of came up, ‘why didn’t they have it?’ Well, they didn’t have the license. So therefore, they weren’t able to dig into it.
Ian McShane 6:28
Is that the storm 0558 breach or is that a separate one?
Adam Marrè 6:35
It’s the same.
Ian McShane 6:42
Yeah. So I hadn’t put two and two together. I saw that. I’m pretty sure I saw CISA’s announcement of the logging stuff and then obviously, reading the storm and the OWAs. Sorry, the Exchange Online breach, I hadn’t put two and two together to think that they were were related actually.
Adam Marrè 6:58
Yeah, that’s right. I believe they are.
Ian McShane 7:04
Because that’s an interesting one. Right. It’s like they only discovered that reading the, again, kudos to Microsoft security response for the detailed write up. But it seems like they only discovered it when a savvy customer who actually goes through the logs of Exchange Online realised that there was some fishy activity happening that shouldn’t have been happening in their environment.
Adam Marrè 7:26
Yeah, and again, we don’t have all the details, but it is an ongoing investigation. And it does like look like this was kind of a step up in the level of sophistication coming out of you know who they’re alleging did this. And yeah, with the attack they got in and then some savvy person at one of the government agencies, I believe it was the US State Department noticed it.
Ian McShane 7:56
When I was reading the blog post Microsoft put out, it made it sound like it was, I’m sure they call a customer, and so I’m getting my wires crossed. And there was another similar incident, which is perfectly possible. But it seems like it’s the same one like acquiring the credentials to be able to sign tokens and basically spoof credentials to access Exchange Online, right?
Because what was interesting to me out of that was like, how many organisations would actually be proactively going through their logs? I mean, I’m sure there are some that have threat hunting, but all of the stuff I’ve read about this particular incident, it sounds like the adversary was doing the usual stealthy hides in plain sight by acting like normal users. And so it makes it even harder to threat hunt.
So, the fact that Microsoft didn’t find it until a customer found it like I’m curious. And maybe it’ll be a Black Hat or a DEF CON or a b-sides talk at some point, but whichever company it was that discovered it, like, what were they hunting for? What how did they notice it? What was their root cause analysis?
Adam Marrè 9:00
Yeah, I really want to find out the whole story. So hopefully, it’ll come at some point, what was the specific things the attacker did? What were the specific things the threat hunter did to find it? And then the response because, this is high level stuff. It’s right around the time that the United States Secretary of State Blinken was headed to China. It looked like they were specifically reading the emails of the Commerce Secretary, Gina Raimundo, looking at her email so it’s geopolitics and espionage and all that.
Ian McShane 9:36
Yeah, looking to get an upper hand in trade negotiations or something.
Adam Marrè 9:43
Countries do that all the time, to each other, they want to understand what’s going on behind the scenes. So anyway, that was that was a really interesting one, but I think this was this result of like changing the level of logins an interesting result from that.
Ian McShane 9:59
Then talking about breaches you’ve been put a note in here about the SolarWinds getting a SEC notice. And so just when I thought I’d never have to hear the word SolarWinds and breach in the same sentence again, it sounds like this is doing the rounds.
Adam Marrè 10:15
Yeah, it’s not exactly clear what’s happening here. But there has been notice filed. I think this just goes to, to get a little wonky with this, these are called wells notices. And they’re sent because they notify the recipients that there’s a possible intent to bring charges against them. And the SEC only does this when a corporation is found, being in violation of something for this Securities and Exchange Commission, something that they do. So it could be, substantive misrepresentations of various things. I think what strikes this for me, being a CISO is we, as an industry, as a world community, we’re still trying to figure out how to hold people accountable and in what way to hold them.
Ian McShane 11:11
Adam Marrè 11:12
And who it should be, and what is the standard of, it’s not always using this language, but the standard of due care, right, like what is the reasonable amount of things that someone should do to protect the information? And then really important, what is a reasonable amount of clarity, and transparency around disclosures? And the problem is that isn’t solidified.
It’s not like we have 1000’s of years of accounting, like with CFOs, and so we know exactly what they should be doing and what they should be saying to people. And what they should be disclosing, we don’t have that in security. Right? Should it be the CFO or the CEO or the board?
And new rules are coming out, and the new rules come out to us from the White House. So all of this makes it a very, nervous place to be a CISO. Because, I don’t know any CFO that’s out there, that’s willfully not trying to do their best to protect your organisation, oftentimes, with the board or other things and people.
Ian McShane 12:15
Yeah, how do you go back to the SEC and say, ‘yeah, sorry, I tried, but we didn’t have enough money to do it. Microsoft charges too much for a single sign on.’ I’m like, that’s not much of a defense. But the things that were interesting to me in here were just the words the SEC are using like ‘failure to disclose material information’ or ‘failing to disclose the gravity of an incident’ or ‘failing to do so in a timely manner.’ They’re all really interesting things when it comes to crisis comms and all of the breaches you hear about it’s like, it took them too long to admit to it.
There’s still stuff going on in the UK where companies have appeared on Clops, big organisations have appeared on you know, Clops blog post, or some other adversaries blog post and say, ‘yeah, we ransomed this company’, and the company is going, ‘yeah, it’s an IT incident. You know, we were still investigating. We don’t have the the information to share,’ I guess. But when the SEC has started to say that failure to disclosing the gravity is essentially, breaking whatever rules and regulations it is that the the stock market in the SEC govern. That’s going to be pretty scary for a CISO to be tagged with that when it’s arguably it’s not even your decision at this point. Is it?
Adam Marrè 13:27
Yeah, exactly. And yeah, casting a shadow over all those comments, is the whole issue with Uber and Joseph Sullivan, and what happened to him. And the cover up is always worse than the crime, that kind of thing. I think that’s what is being signaled here is that what they’re talking about is you’ve got to be really clear on how big a breach is. And if you don’t, because that information can affect the market, right? And if you don’t, if you’re not clear on that information, then we’re going to come after you really saying like, ‘you can’t just brush these under the rug anymore. You’ve got to come clear.’
But the issue that I think the security leadership community is having is who makes that decision is not like totally up to the CISO. And what do you have to say, what are the requirements because there are privacy requirements kind of coming out of GDPR and CCPA. And those requirements, there are regulatory requirements, but what do you have to do for the market isn’t exactly clear. So we’re still figuring that out. But in the meantime in figuring that out, we’re sending notices to people that we’re bringing charges against them for not doing what we’re not clear on what should be done.
I’m not trying to excuse this at all. I know that these folks are doing their best. It’s just cause for concern. Get it figured out and get really clear on what people to do. And then guess what? All of us security leaders can hold the line. And when we’re in those board meetings, decision meetings or crisis communications, we can say ‘no, this is what’s required. This is what we’re gonna do just that.’
Ian McShane 15:07
There needs to be a standard, someone needs to define a standard. And, like you said, we haven’t got 1000’s of years of accounting background to come up with an adopted standard, let alone a governed standard or a dictated standard, whatever you want to call it. And it reminds me, is similar in well, firstly, of course, it’s just another reason to feel sorry for your local CISO. So go and hug your CISO if you see one. But some interesting parallels with the SEC trying to do the right thing, which is what I think they’re doing. It’s not a witch hunt. It’s not a chase. It’s not a ridiculous government policy driven thing. They’re trying to do the right thing. And it just, going about it the wrong way, maybe, or it’s just hard to adopt.
Adam Marrè 15:51
Yeah, I don’t know that there’s a right way. Just to interject. Once again, I believe in the good intentions of all the folks here in this, and I don’t know, maybe somebody’s trying to cover something up. The SEC is trying to do the right thing. Most CISOs and certainly ones I know and talk to are always trying to do the right thing. They want to be transparent. So it’s it’s just a difficult situation.
Ian McShane 16:16
I agree. But then I was reading just before this today, that and I’ll try and keep my political bias on one side here, but the ridiculousness of the UK Government has gathered more steam today when they’re trying to force companies like Apple and Facebook with WhatsApp and Signal to sign up to this latest ridiculous changes to privacy.
So there’s been this ongoing thing for a while in the UK, where the UK Government, like some others, I suppose, is trying to avoid encryption in a way that gives them the chance to give law enforcement a chance to read messages, get data when they need to. But the one they announced today is basically saying that a software vendor that uses security has to bend to the will of the home office, which involves removing security when they’re told and not being able to have any kind of protest or review period, but they actually have to do it, which to Apple turned around today and said, ‘Well, if that’s the case, we’ll just turn off iMessage and FaceTime in the UK, because we’re not going to move away from from that kind of encryption.’
So on one hand, you know, it seems like the SEC are at least looking in the right direction and trying to do the right thing. And then on the other hand, you see some of these government entities that may be under educated or going after the wrong goal, and just trying to take a hammer to a housefly.
Adam Marrè 17:39
Yeah, absolutely. Yeah. I do think we’re going through a period where we are getting more folks in governments that understand in the US, definitely, that understand, not just security better, but technology and how it actually works. I think the average age of an elected official in the US is 63 years.
Ian McShane 18:03
I was gonna say this, be careful not to be too agist. But generally, that’s my opinion is that that’s half of the problem.
Adam Marrè 18:09
But a lot of the folks that work for them a lot of folks in positions. And let’s be honest, a lot of people in their 60s do understand technology. So I do think it’s getting better, at least in the US from what I see as far as like the questions being asked when they you know, when they bring these people out to testify in front of Congress. The questions are getting better. I think we’re trending in a in a better direction. But there’s a lot to be worked out here.
And yeah, certainly we need a backdoor to your encryption argument is, well, then it’s not encryption. Trust me. I I was in the FBI. I understand you want to see the communications of criminals that are doing very, very bad things to interdict. But you’ve got to balance that against security. And it’s it’s yeah, it’s an interesting thing. But I just love it when they try to they just want to backdoor your encryption, well, then it’s not encrypted.
Ian McShane 19:04
Exactly. Exactly. Oh, man. That’s that’s a good segue into something else that’s quite near and dear to my heart is phrases that come out in crisis comms, like it’s such an advanced attack, there was nothing we could do about it or the common misconception that every nation state adversary is always using zero days, and it’s impossible to block them. This one story from maybe a week ago? And you know, it’s unsurprisingly in the realm of Ukraine and Russia, where it seems like someone in I guess, abt 29, or Cozy Bear as researchers from Palo Alto put it, intercepted someone trying to sell their car and then use that word document as a way to try and fish some of the embassy people.
Adam Marrè 19:55
Yeah, I mean, so yet we do talk about the zero days and all the scary stuff and the pegasus. They’re impressive. And they’re interesting to read about. And sometimes amazing, right? Yeah, but most attacks are successful, which is like basics, credentials and unpatched stuff. And I’m selling a five series BMW. And here’s a catalog of pictures. Download that, boom, it executes a macro and Bob’s your uncle, that stuff works.
Ian McShane 20:28
It’s just so funny like, I’d read it on, I don’t know, a news website. But it didn’t pop up in the usual cybersecurity news things, because I guess it’s not interesting enough, when someone’s sending a Word document trying to sell a BMW for 7000 euros or whatever it was, it just doesn’t sound as interesting as someone intercepting a supply chain or, this crazy, chain of zero days that was in previously undisclosed vulnerabilities.
I mean, it just goes to show it doesn’t always have to be the cutting edge technology to get this stuff done. And all of these things, I don’t want to say it’s easy for organisations to prevent everything, but there are certainly plenty of low-hanging fruit that can move someone’s security posture forward without having to worry necessarily about the craziest examples of a nation state trying to access your open S3 bucket.
Adam Marrè 21:28
Yeah, I mean, they’re going to use any and all methods, right, especially if they really are after something. But you know, I have friends that work in the hacker-for-hire business, right? So they do penetration tests for companies. And oftentimes, they’ll come in when they’re doing a bid, and they say, ‘Okay, well, we won’t do a phishing attack until the end, we want to try out the technical means first, because that’s the hard stuff.’ And we may or may not, but we know this will work, and then we go through phishing, that doesn’t tell us anything, because it’s just funny that, you know, there’s an ad, right, it’s one way to do it, but we know phishing will work.
So it just shows that the bread and butter basics is still where we need to put a lot of our focus from a lot of our organisations, yes, on that, so that we don’t end the day end up blaming the intern for password, or the high level exec for clicking on the wrong link and things like that. We still need to work on these basics, get them solved, and buttoned up, because they’ll still be used by everyone to include nation state adversaries, and they’re gonna use the advanced stuff. But when the easy stuff works for what you’re trying to do, you’re gonna go with the easy stuff, because it works.
Ian McShane 22:40
One of the good things then, so one of the reasons I bookmark this news report, actually is because I get asked a lot by journalists, reporters, customers, ‘what should I be doing about nation state? How worried should I be about Russia and Ukraine, or China or North Korea, whomever.’ And this is going to be a great one to say, ‘you should focus on phishing and user education,’ because they’re gonna use these kinds of things as well.
Adam Marrè 23:06
Yeah, I do like to elevate people’s visibility to say, ‘hey, you may not think that you’re a target. But you got to think about your customers, because you can be a vector into someone that they’re interested in.’ So there are a lot of companies that don’t realise that they may be in the crosshairs of a nation state, or some actors supported by a nation state.
That being said, the stuff they should probably be working on to secure themselves is no different than what they should be working on anyway, because it’s probably the basics, it’s probably turning on MFA or protecting credentials, or having a better patch management, vulnerability management program. So it really is an end-to-end detection program, right. So it really is still those basics.
But it does help maybe raise a sense of urgency to acquire some more budget to be able to do it to tell them that, ‘hey, you may not be the target, but your customers might be and you need to be aware of that.’ Because you might not know that this nation state is after stealing the intellectual property of this customer of yours that you don’t think has anything to do with national security. But they’re on the bleeding edge of some odd thing. And that’s what this adversary or this economic espionage target, that’s what they want.
Ian McShane 24:19
Yeah, it brings me back to one of my favorite phrases, which is that you’re either going to be the target or the transport at some point.
Adam Marrè 24:26
Yeah. Target or the vector. It’s going to be one or the other. Yeah, I do like the highlight that for folks. But again, it’s the basics.
Ian McShane 24:35
Yep, sure is. That’s all I got this week.
Adam Marrè 24:40
Yeah, I think I think we have some good stuff in there.
Ian McShane 24:43
Was fun chatting with you again. I’m pretty sure. Assuming you’re I’ll see you next time. I look forward to the next one of these.
Adam Marrè 24:49
Yeah, assuming I don’t get notified by the SEC for some reason now.
Ian McShane 24:53
Okay, I’ll get my tiny violins out for all the CISOs out there.
Adam Marrè 24:57
Yeah, exactly. All those CISOs but hey, they are are a lot of pressure.
Ian McShane 25:02
You know, a question I got asked this week actually was apparently there’s been a study that says being a CISO removes two or three years from the average CISO’s life expectancy. And I have questions about that. So number one is like, how many people are they interviewing that have sadly passed that they are using to benchmark those two, three years? Like, how are they quantifying that? And number two is like, you don’t seem to age that much since you joined. So you know, is it really that stressful?
Adam Marrè 25:35
Yeah, I think it’s a debate on whether my teenagers or the job takes more years from my life. No, no, I love the family. No, it is a good question. Because the amount of stress that CISOs are under I mean, the surveys of them are really interesting. And that may be something we can do a full episode on sometime, it’s a really interesting topic.
I would like to see the actuary tables that they’re looking at to understand some sort of claim that it’s taken two or three years of your life, like how do we know that? But I do think talking about stress and where the stress comes from. And we alluded to some of that earlier today, talking about the uncertainty around what the obligations are, and the expectations are, and the fact that if a breach happens, you’re probably going to get axed, or it’s very likely, unless you’re really new in your tenure, or you’re very, very supportive. I mean, that happens a lot, right?
So I think, and so much of whether or not you get braces out of your direct control, right? Again, to compare to like a CFO, you don’t have all the accounting that you can account for at your fingertips and make sure, the security is everywhere. I mean, everyone has an email account, everybody can click on things. It’s just this big, huge complex problem, and it’s all on your shoulders. So yeah, I get what they’re saying.
Ian McShane 27:07
You actually made me feel sorry for you that it’s all on your shoulders
Adam Marrè 27:14
No, but I think it’s an interesting topic that we should think about cover. I do want to dig into. I think we do an outro of some kind?
I think that’s good enough.