The State of Enterprise IT Security is the show for technology leaders looking for actionable and approachable guidance in the security landscape. The show features Brad Bussie, the CISO of e360, a premier technology solutions provider. In each episode, Brad covers 3 timely topics in each episode impacting the enterprise security landscape.
All right, we are recording the second
episode of the Security Podcast, which is
part of the State of Enterprise IT show.
Okay, we are recording the second episode
of the State of Enterprise IT Security
Edition with Brad Bussie.
All right, Brad, take it away.
All right, hi everybody.
I'm Brad Bussie Chief Information Security
Officer here at e360 Thanks again for
joining me for the State of Enterprise IT
Security Edition.
This is the show that makes IT security
approachable and actionable for technology
leaders.
I'm happy to bring you three topics this
week.
The first one is can cybersecurity experts
safely use TikTok?
The second is will breaches be worse this
year?
And the third is MITRE ATT&CK really that
influential?
So with that, let's get started.
So can cybersecurity experts safely use
TikTok?
And I look at this whether, you know,
cybersecurity experts can use TikTok.
And I think it depends on several factors.
Part of it is what's your risk tolerance,
really what's the purpose of your usage
and what precautions are you taking?
So if I were to break it down into a
couple of considerations, I would start
with what are the potential risks.
So for the, I'd say since the inception of
the application or website, depends on how
you consume it, data collection and
privacy concerns are paramount.
TikTok collects considerable user data.
There's been argument that Google collects
it the same, that YouTube also does it,
Instagram, kind of the whole Facebook
family.
But I think what's being done with it is
more
of the concern.
So it's collecting user data.
It includes the location, the device
information, the viewing habits of the
user.
The app owner is a Chinese company, which
raises some concerns about potential data
access by the Chinese government.
It's interesting though, because TikTok
denies those claims.
There are...
Security vulnerabilities and while
vulnerabilities are inherent in any
software, like we've hit on that a few
times before, TikTok's faced some pretty
harsh criticism in the past for the
security flaws that could again,
potentially expose user data.
So we're still talking about data, we're
still talking about privacy.
But I think even more dangerous is
misinformation and propaganda.
So TikTok's algorithm, they can expose
users to misinformation, propaganda,
especially if it's coming from a quote
unquote verified source.
Those are things that are a little more
controlled on other platforms, but not so
much on TikTok.
So this could be pretty concerning for me
as a cybersecurity practitioner when it
comes to dealing with sensitive
information.
So let's say I decide to accept the risk.
What are some of the things that I could
do to use TikTok?
And I'll also talk a little bit about how
I feel about security experts leveraging
the platform to reach an audience.
So for me, it all comes down to limiting
engagement.
So if an expert does choose to use TikTok,
they should limit the engagement to very
specific purposes, like following
education, specific content, industry
trends, and really the goal is to minimize
any data exposure.
I'd say making sure your privacy settings,
utilizing all the available privacy
settings and restricting data sharing can
offer some protection, but it doesn't
offer you protection from the main thing
we're concerned about, which is the owners
and operators of TikTok and what they
would do with the information.
I always encourage device separation.
So use a separate device strictly for
TikTok.
and this can isolate potential risks from
work or personal devices.
But again, TikTok learns from where you're
visiting, what you're watching, how long
you stay on something, where you are.
I mean, it looks at all of those things.
So keep in mind that device could be
exposed.
So be very cognizant of what is actually
on that device in addition to TikTok.
And I would say have some critical
awareness, maintain a critical eye on all
the content that's encountered and verify
the information.
Make sure it's coming from a credible
source.
I mean, that's pretty important.
So alternately, there's some industry
specific platforms.
So you could go to what I would consider
more secure platforms that
that specifically cater to cybersecurity
professionals.
But that's if you're interested in using
it for that purpose.
I think what I see is a lot of people use
TikTok for relaxation or they use it for
entertainment.
But just observing my family members, I
actually don't let my children install or
leverage TikTok.
for a lot of the reasons that I discussed.
So I think just being aware of what you're
after.
So if it is entertainment, I think there's
a lot of other options.
I actually see a lot of the things that
make it to TikTok, they show up on other
platforms now.
Maybe it's not as fast, but it does
happen.
And then, if I'm looking for an
alternative, let's say I'm...
researching something, I don't necessarily
think TikTok's the place because you're
never quite sure about the authenticity of
the information.
So there's other places that I could get
cyber information.
There's a bunch of blogs, there's a bunch
of websites, and we'll talk about some of
those throughout the podcast because I
think it's important that we're all armed
with some good information.
So if I'm going to conclude.
this segment, I would say, whether
cybersecurity experts can safely use
TikTok, it ultimately depends on their
individual risk assessment, risk
tolerance, and their mitigation
strategies.
So while potential risks do exist, I think
careful engagement, utilizing the privacy
settings,
alternate sources, that can help manage
some of the risk.
And I would say, if I'm after specific
information, there's other places that I
could go for it.
So again, it's up to the individual.
And if I am a influencer, let's say I'm a
cybersecurity influencer, I don't know if
I've hit that status quite yet, but once I
do, are you gonna find me on TikTok?
you won't.
But I feel that there are other platforms
that are more appropriate for that
outreach.
So I'll just leave it there.
I think there's going to be some heated
debate about this one.
And I'd love to I'd love to chat more
about it.
So let's move on to the second of our
topics for this week.
Will cybersecurity breaches be worse this
year?
And I see several factors that suggest a
very high likelihood of a continued or
even an increase in the threats as well as
the breaches.
So if I'm looking at it, I mean, we really
have a growing attack landscape.
There's evolving tactics.
Attackers are constantly innovating.
They're exploiting new vulnerabilities.
they're developing more sophisticated
techniques.
And as we talked about in previous shows,
those attacks are now AI powered.
You can put together a much easier social
engineering scam.
I see a lot of this with help desks where
they're getting socially engineered and
saying that someone is a user, they're
unlocking accounts, they're reissuing
keys, they're just doing un...
natural things the way we would consider
it unnatural but to them they don't
actually know what they are dealing with
they think it's a real person so I think
we're going to continue to see ransomware
being a significant concern because of the
money aspect I also see an increased
attack surface so there's a growing
reliance on digital technologies
cloud computing, interconnected devices,
and that just expands the potential entry
points for attackers.
I think another one is geopolitical
tensions.
There is a lot going on, and I think cyber
warfare, state-sponsored attacks, they're
on the rise.
And I'd say adding another layer of
complexity to
the threat landscape is just all of the
different conflicts that are, I think,
starting to spill over into allied
countries with what's happening with
Russia and Ukraine, with what's happening
in Israel.
There's a couple of others that I would
mention, but I think these are the ones
that are of most interest for this year.
I continue to see vulnerable
infrastructure.
all over the place.
Outdated software and systems, a lot of
organizations, they still rely on outdated
technology with known vulnerabilities.
And that makes them easy targets for
attackers.
And I know you're thinking, well, why
don't they just patch their stuff?
Why don't they just do, why don't, why
don't?
Well, I ask that question every day and I
still don't have a good answer because
it's different for everyone that I talk
to.
Human error, I mean, fishing attacks,
social engineering scams, they continue to
exploit, I would say, the most vulnerable,
which is the human.
And that is a significant risk.
Lack of cybersecurity awareness, I mean,
insufficient awareness and training in an
organization, it can leave them completely
unprepared to handle cyber threats.
And then...
the rising financial incentives.
I mean, cryptocurrency popularity, that
was a big boom, 21, 22.
I think 2023, we saw a bit of a dip as far
as how lucrative it is.
However, that's still the currency of the
cybersecurity attackers.
And I think it will continue to be, and
we'll see a resurgence of crypto.
I think it's just where it's, it's where
finances are going.
How long it takes us to get there.
I think that remains to be seen, but
monetizing data I'd say is another area of
that rising financial incentive.
So it could be personal data.
Could be corporate data.
It it's valuable.
It's a commodity now and attackers steal
it so that they can sell it because
someone on the dark web is going to buy it
for whatever purpose.
And those purposes are typically
nefarious.
And then I'd say the crown jewel of all of
this is ransomware, the ransomware
payouts.
It continues to be successful.
Ransomware attacks.
and the incentives, they further develop,
and the deployment of the tactics keep
getting better.
And it's interesting, because this is a
polarizing topic when I talk to people
about, hey, should we pay the ransom?
And that is a very personal question,
because I listen to enough cybersecurity
practitioners that say no.
because if we stop paying the ransoms,
then it's not lucrative anymore.
And those types of attacks will go away.
We'll essentially starve them out.
But the challenge with that is in some
instances, a business would cease to exist
because they didn't do enough upfront to
protect themselves or to recover from that
type of an attack.
So I think we could.
go pretty deep on that.
I think we'll have another show where
we'll do that, where we'll talk about
resiliency and what organizations can do.
Because I think if enough of us are
prepared, then we can wage an offensive by
being defensive.
And the next thing you know, ransomware
will be a thing of the past because
granted we will have an impact, but should
we pay the ransom at that point?
because we're ready for it.
So I think some of the things that we can
do this year as potential countermeasures,
because I never liked doom and gloom
anything, I think three things, improve
cybersecurity awareness.
So increase the awareness and training.
I know we all look at it all the time and
say, oh, my users just don't get it,
they're not doing it.
Keep at it.
I think we can significantly reduce the
human error and how susceptible we are to
social engineering attacks.
We just have to stay consistent.
And there are statistics of how many times
somebody has to see something before it
really sticks.
And it's a lot.
And our attention spans are getting
shorter and shorter.
So what I've done with our own program is
I've made it more bite-sized.
So instead of the 45 to an hour training,
I'm trying to do the fives, the tens, the
15 minute trainings, that I just do it
more often.
And that's been well received by my users.
Investing in cybersecurity tools and
infrastructure.
I mean, organizations that prioritize
cybersecurity and invest in tools, and you
can look at it as still firewalls,
intrusion detection, endpoint detection
response, those types of systems, I mean,
they still strengthen the overall
defenses.
Now, you'll hear me talk a lot and am I
still a big fan of firewalls if it's a
perimeter implementation?
Not so much.
I'm more of bringing security closer to
the endpoint, closer to the application
and closer to the user, but there are
still firewalls in play.
It's just how they're-
And then I'd say the third countermeasure
this year would be collaboration and
information sharing.
So threat intelligence is still one of the
best practices within the cybersecurity
community.
Because if we're all being attacked and we
stay silent and we're not sharing the
information, how we mitigated it, how we
detected it, then the attackers are going
to win.
So making sure we share amongst ourselves
and we have that good threat intelligence,
everyone needs to invest in Threat Intel.
So however you're getting that
information, we could again have a whole
show about that, but there's a lot of
options and happy to discuss any of those
with listeners.
So speaking of Threat Intel, let's wrap up
this show with our third topic.
which is the MITRE ATT&CK framework, and
is it really that influential?
So for those of you that are new to MITRE
ATT&CK, let's kind of look at it from the
lens of just the simple high level.
So MITRE ATT&CK is like a cybersecurity
map of attacker tactics.
So...
It outlines the common ways attackers
operate, and that could be sneaky
reconnaissance to deploying malware.
And it makes it easier for defenders to
understand their potential opponents.
So think of it as a shared language and
playbook for cybersecurity.
It's helping everyone speak the language
against cyber threats, and it's really the
same language.
So we all kind of understand where it's
coming from.
It's constantly updated, just like maps
when they get a new road or a new
landmark.
And what it does is it reflects new
attacker tricks and it helps keep our
defenders up to date and you could say on
their toes.
Now, I would say MITRE attacks influence
in the cybersecurity world, it's
undeniable.
48% of organizations use MITRE ATT&CK and
they use it extensively.
And that's for security operations.
And a lot of that has to do with the
endpoint detection response platforms.
They're basing a lot of the way they do
things on MITRE ATT&CK.
And then there's another 41% of
organizations that are using it to some
degree.
So if I'm looking at that from influence,
that's a lot of percent.
I mean, that's pretty close to 100.
But 19% consider it critical to their
future security strategy.
And 62% see it as very important.
So if I'm reading the statistics, it's a
good base level framework, but not enough
for seeing it as a critical component to
their future security strategy.
And I think that's a bit of a miss.
because it really is a great map and way
of understanding attackers.
And there's a concept of the kill chain.
And if you look at how attacks are started
and how they end, you can follow it just
like a playbook.
These things are real and attackers do
follow step by step because it is a chain,
it is a process.
It's typically a nefarious process, but it
is something that we can still understand.
Now, if I look at the impact on the
industry, what has MITRE done for us?
It's done one of the best things, which is
standardizing the language.
So we can all look at it.
We can all see it.
It's a common framework.
And it describes the attacker tactics and
the techniques.
It fosters better communication.
And really that whole collaboration across
the cybersecurity community.
There's improved threat detection because
of it.
And that's because we understand how the
attackers operate.
And we can develop more effective defenses
and detection mechanisms because of that.
And I mentioned this before, but it's
really having informed security tooling.
So the vendors that
are creating cybersecurity tools and
defense software, they're aligning their
products and their services with MITRE
ATT&CK and the MITRE ATT&CK framework.
So really it makes them more relevant and
effective.
And I would also argue that MITRE is
driving innovation.
So there's continuous updates to the
framework and that's key because
Our attackers are evolving, MITRE is
evolving.
And that's what we want.
We want a parity and to keep pace with
each other because it's not going away.
Benchmarking and testing.
So this is something that I was really
missing.
If you all remember NTT back in the day,
they would test a lot of different
software and we could get some scoring
based on how the...
cybersecurity tooling performed in the
real world.
Well, MITRE has put on that superhero cape
and they're doing something very similar,
if not a little bit better.
They're doing benchmarking and testing.
So it provides a way to measure an
organization's security posture against
known threats, but they are also testing
in an environment a lot of different
tools, and then they're giving us scores,
which is great.
So.
If you're interested in that, hit the
MITRE website, take a look at it.
And I think the way that we are going to
survive this new age of AI is how MITRE is
open source and collaborative.
So it's freely available, it's openly
developed, and its goal is to foster that
collective spirit in the cybersecurity
community.
So I've always looked at it as we are
better together.
I'm a big fan of the crowd movement.
That's a little old now by the standards,
but still it is our best chance against
attackers.
So overall, MITRE ATT&CK, it's become a
cornerstone of modern cybersecurity.
I think its influence can be seen in its
widespread adoption.
The impact that it's had on the industry
and the ongoing innovation that it drives.
So I would give you a counterpoint to, it
is highly influential, but it's not a one
size fits all solution.
I mean, you need to look at it and adapt
it to your specific needs.
And I think that some organizations
struggle because of their particular
threat landscape.
It may not be fully compatible, but I
think you're still...
You're still doing something which is
better than nothing.
I would say some critics, they argue that
MITRE ATT&CK focuses too much, I don't
know if you can possibly do that, but they
say too much on advanced persistent
threats.
And that is something that may not be as
relevant to smaller organizations because
they're getting hit by more of the
drive-by, the botnet, because...
advanced persistent threats typically need
resources and are very targeted and
directed so they go after what we call the
bigger fish or their wailing a lot of
smaller organizations they just get hit by
kind of more of the automated stuff and
it's like casting a wide net and seeing
what you get that's more of how those
attacks are and miters is good but not
amazing for that
there's other frameworks that I think are
a little bit better.
And I think some of the smaller
organizations should be focused just on
the basics, which is like a CIS 18 or a
NIST CSF type of an approach, but we could
talk about that later.
And then I would say, you know, despite
some of the limitations that you could
mention, it's still, Mitre ATT&CK is still
valuable.
and it's a great tool for any
organization.
And I'll say this in quotes, that is
serious about cybersecurity.
So I hope this information gives you a
good understanding of MITRE ATT&CK and the
influence in the cybersecurity world
overall.
Well, thanks everybody for spending some
time with me and e360 Security.
Have a great rest of your day.
Good stuff.
Knocked that out in about 26 minutes.
I think it's a good digestible length.
Okay, I'm gonna stop this recording, but
while I have you, I think we should do.