Last December, as Neil Daswani and Moudy Elbayadi were counting down the final weeks until the publishing of their new book, “Big Breaches: Cybersecurity Lessons for Everyone,” they had no clue the infosec world was about to uncover perhaps the most significant mass breach in its history: the SolarWinds hack.
The timing couldn’t be any more appropriate for their instructional tome, which identifies the six key root causes of most breaches – phishing, malware, third-party compromise and abuse, software vulnerabilities, unencrypted data, and inadvertent employee mistakes – and offers key tips for security professionals, business executives, board members and consumers to defend themselves.
A former senior vice president and chief information security officer with Symantec’s consumer business unit, Daswani is the co-director of Stanford University’s Advanced Security Program and a cyber/AI adviser for investment firm Bryce Catalyst. He is also the co-founder of Dasient, a Google Ventures-backed security company that was sold to Twitter in 2012. Elbayadi, meanwhile, joined Shutterfly in February 2020 as senior vice president and chief technology officer and also serves as an adjunct, assistant professor at University of Maryland University College. He served as VP and CIO of the consumer business unit at Symantec, and took on past CIO roles at LifeLock and ID Analytics.
SC Media spoke to Daswani to understand how SolarWinds compares to the notorious breaches cited in his book, and the key lessons and takeaways he hopes will benefit readers. Published by Apress Media, “Big Breaches: Cybersecurity Lessons for Everyone, will be available to readers in February 2021.
After the SolarWinds hack, people are going to reading your book in a whole new context. Perhaps you could tie this latest incident to some of the big breach examples you write about about.
One of the key things that the book does, is that it goes back to the Target, JPMorgan Chase, OPM, Equifax, Marriott, Capital One and Facebook breaches. It [looks at] the histories and stories of those breaches, and also analyzes their root causes… The second half of the book focuses on a roadmap to recovery, given what's taking place in the world.
I also analyzed the root causes of over 9,000 reported breaches. And it turns out that there are really six key technical root causes behind all these breaches… [They] are: phishing, malware, third-party compromise and abuse, software vulnerabilities, unencrypted data, and inadvertent employee mistakes. And what we see with the SolarWinds breach is that it is a breach that is due to a third-party supply chain compromise.
It is certainly novel in terms of its scale, in terms of the number and type of organizations affected. But I would also say that it's not a complete surprise. Going back to the Office of Personnel Management breach from 2015, in which over 20 million government employees had their identities stolen: that was also a third-party compromise, and it started with a company called KeyPoint Government Solutions that helped do background checks for the OPM.
And then, if you look at Target and JPMorgan Chase, they were also compromised due to third parties initially – their HVAC supplier, their charitable marathon race’s suppliers. So third-party breaches are certainly nothing new.
Compare some of your past breach examples with SolarWinds in terms of scope.
SolarWinds is certainly interesting in terms of the number of organizations – they have 300,000 customers, the majority of the Fortune 500 are customers… all five branches of the military are customers… Now, out of the 300,000, 18,000 seem to have received a malicious software update from the compromise… I should also say that it's still early.
In terms of simply the size of the breach, at this point there have been bigger breaches, both in the number of data records stolen, as well as number of organizations affected. For instance, if we think back to WannaCry – malware that was attributed to the North Koreans back in 2017 – that infected over 200,000 organizations. Now, of course, the there was a much larger diversity of organizations affected by WannaCry, including hospitals. So I think it is interesting that the types of organizations [in the SolarWinds case] are definitely more targeted than WannaCry was.
In terms of the numbers of data records stolen, if we think back to the Yahoo breaches that were announced in 2016, all 3 billion Yahoo user accounts were exposed in that breach… So these are all pretty significant breaches.
I think that SolarWinds is interesting because it’s been compared to a digital Pearl Harbor. But I would say one distinction is that Pearl Harbor was a complete surprise. [But in this case,] various agencies in the U.S. government have been warning other agencies in the U.S. government about nation-state actors and cybercriminal threats since 2005, 2006, 2007. So this is not completely unexpected.
I think also what's interesting – I will love to see how this plays out – is understanding exactly how much and what data actually got stolen. But as we know, these investigations take time and it'll be interesting to see how big and bad it is. I do. I do hope that this does serve as a wake-up call. Not only for the government, but for the cybersecurity industry.
What motivated you to write the book and what inspired the book’s concept?
A couple things. I had taken on my first chief information security officer role back in 2015. And walking into an organization, being responsible and accountable for security to the point that, if something goes really bad, really wrong, you can end up in front of Congress for the wrong reasons, I took it upon myself to make sure that I understood what were the root causes of all the breaches that have taken place.
One of the things that I do is I serve as a co-director of Stanford's advanced security program. And back in 2017, one of the program managers at Stanford had asked me to give a webinar. And we thought it might be fun to just cover what were some of the reasons that some of the biggest companies were getting breached. And so really this book started with research that I had started presenting in 2017. And this information… started filtering its way into some of our courses at Stanford. We have a foundations of information security course, where, in addition to covering the traditional types of cybersecurity material that you might imagine, we thought it would be important to cover the past failures of the field, so that we can we can get past them and make things better.
When you think about mechanical engineers, for instance, I don't think there was a mechanical engineer that doesn't know what were the reasons that the Tacoma Narrows Bridge fell apart.
One chapter of the book appears to be devoted to addressing the cyber skills gap, laying out the types of careers that are available to aspiring infosec pros. Can you talk about what your intent was in creating that section and what you hope the key takeaway is there?
We were looking initially at a book that would help bring more people into the field. And the original subtitle for the book was, “Why Cybersecurity Needs You.”
The very last chapter in the book does focus on how folks can apply their existing skills to get jobs in cybersecurity. And there's a deep need for information security analysts, there's a deep need for security architects, there's a deep need for even more CISOs. I think like 30 percent of public companies still don't have CISOs. And what that chapter does is it describes how a typical information security team in a company works, maps out target cybersecurity roles based on one's existing profession, and [explains] how to build on one's existing professional skills to get a job in cybersecurity.
Another chapter offers instructions to organizations’ board members. What are some of the important lessons here?
I think that a lot of times when you need to solve big problems, it may make sense to try and solve it top-down.
[With] the OPM breach, for instance, it was pretty clear that the top management had not invested as much in security as they as they needed to… I think the Office of Personnel Management was spending only $7 million per year on IT security. It was spending less than the Department of Agriculture has on their security.
And so we said: We need to get information out to board members so that they can be asking the right questions to the CEO, and help figure out what's the right amount to invest, prioritize the appropriate risks and then execute on it.
I think the other thing that has got cybersecurity discussions going in the boardroom about is all the new regulations that have been coming into place. And specifically, what the regulators are looking for when they're assessing penalties. So that's been getting board members to care.
So we give advice on a couple things to boards. First thing we tell boards is to start with what are the existential security risks to the company. There are some companies where if security doesn't go right, it could mean the end of the company… For some companies that might be a data breach. For an e-commerce provider, it could be a major denial of service attack.
And then what are the kinds of security controls that can be consistently, adequately employed, and be effective for what they need to do? And also be reasonable given the size of the organization to achieve the goal of security?
Tell me more about the chapter specifically designed for technology and security leaders.
We also give advice to technology and security professionals who perhaps are not used to or don't have as much experience being in front of a board… Often, they're very used to talking about things in very quantitative ways, and talking about metrics and assessments of various kinds. But our advice is, when folks present to boards, they need to start with a story.... And then you back it up with data and metrics and such things.
For a lot of chief security officers in their roles, one of the challenges is that they're faced with complying with a lot of different standards: ISO, NIST, FedRAMP, HIPAA, PCI… But one key insight from the book… is that while there's a lot of these different check boxes that need to be checked, the countermeasures that one employs to address the six key root causes of breaches perhaps matter the most. In particular, the scientific effectiveness of your countermeasures… is what's really, really important.
And so basically we give advice for all kinds of technologies and security professionals to focus on those countermeasures and, when they're in discussions with boards, to make sure that they connect what they're doing with what are the high-level business outcomes.
So for instance, a CISO, or a technology professional or IT director might be like, “Oh, I'm working on HIPAA compliance.” But the question is, “Why are we working on HIPAA compliance?” And I think that the way to talk about that to the board is to say that what we're doing is, by satisfying this compliance standard, we are enabling the business to sell into the healthcare market, whereas previously, we weren't able to do that… It should be more about growth of market and whatnot, because that's the language that the board understands, rather than satisfying a compliance standard.
You also make some research-based observations on cyber investments.
I have analyzed where the $45 billion invested in the cybersecurity field over the past 15 years hass gone thus far. And [I] line that up next to what have been the identified root causes of all these breaches, and use that to come up with investment hypotheses as to where the next set of dollars should go.
So we identified things like: Out of the $45 billion, $11 billion has gone into network security, which is a basic necessary, but not sufficient defense. And if you look at what's gone into blockchain and cryptocurrency, it's been $10 billion. It's a lot. But I don't know if it needs to be commensurate [with] areas like privacy and Internet of Things security. Less than $1.5 billion has gone into each of those areas.
In 2019, Facebook got fined $5 billion for privacy issues. So that one fine was more than three times the amount of investment that's gone into that area. So we need to invest more… It's not just important to throw money at important problems, but the money has to go in the right direction.