ENFUSE 2019: Security Regulations, Insider Threats, and IoT Privacy Risks

Threatpost sits down with incident response expert Kevin Golas to discuss the top takeaways of ENFUSE 2019 this week.

LAS VEGAS – From insider threats, Internet of Things insecurity, to medical device hacking, ENFUSE 2019 broke down the top privacy and security issues help desks are seeing today. It also tackle what regulatory efforts are being developed to address those threats.

Threatpost editor Lindsey O’Donnell-Welch sits down with Kevin Golas, who leads up OpenText’s incident response team, to discuss the top takeaways of the show — and which threats he thinks will keep infosec teams on their toes.

For direct download, click here.

Below find a lightly-edited transcript.

Lindsey O’Donnell-Welch: Welcome back to the Threatpost podcast. I’m here today at ENFUSE in Las Vegas. And I’m joined with Kevin Golas, who leads up OpenText’s cyber security incident response team. Kevin, thanks so much for joining us.

Kevin Golas: Thank you.

LO: So can you give us a quick introduction to yourself and your role?

KG: Sure. I’m the director of security services at OpenText, that is, I focus on forensics, digital forensics, incident response and risk and compliance worldwide for our customers, like I said, on incident response and risk and compliance.

LO: Well, there’s a lot to kind of unpack there, especially with the compliance that I’m seeing at the conference. And I feel like we’ve seen a bunch of kind of big trends so far around security and privacy. And I  wanted to talk about some of the biggest threats that you’re seeing right now. And one of the top trends that has been discussed so far at ENFUSE is insider threats. I know at the keynote yesterday, there was some chat about that. And I’m there been a couple of sessions about that. What are you seeing with insider threats? What awareness do companies have about this right now? How big of a risk does this pose for companies?

KG: Yeah, so insider threat can be taken in a couple different ways. I’ll just go by the person that clicks on the email that doesn’t realize that they clicked on a phishing email, and now have compromised their company right? So I think – I don’t remember the statistics off the top of my head – but it’s something like 86% of most breaches happen from spearfishing or phishing attacks. So I definitely see a trend, I’m more focused on that. And kind of like analyzing, you know, different technologies that can combat that. Right. But at the end of the day, I mean, I think there’s a bunch of different ways to combat that, from security awareness training, not to click on that particular thing, if it’s, you know, here’s your invoice, dot dot PDF, and you don’t know anything about it, right? I think that will help a lot. Like you got to continue on with that training. But then you also can do it with technology as well, too, right? I won’t get into what technologies, right, but, if you click on it, it kind of checks that URL before it actually goes to that URL, or it’s on a whitelist or blacklist, if you will, there’s just a lot of process flow that needs to happen and continue to happen as I try to identify those threats before it becomes an issue.

LO: Right. Yeah. And I feel it’s it’s interesting that you kind of bring up like the unintentional insider threats aspect too, because I do feel like as I at least for me as a, as a tech reporter, I write about kind of these super trivial attacks, but then what most companies are dealing with are phishing attacks, spear phishing attacks, BEC attacks, things like that, scams. So I think that is a much more prevalent threat that a lot of people are dealing with today. But what about kind of the more intentional insider threats? I mean, is that something that you see people dealing with all all? I know that there are cases of rogue employees, disgruntled employees, things like that. What are you seeing there?

KG: Yeah, I definitely still see that to be an issue, right. I mean, am employee gets terminated, they don’t cut off his or her access, and then a person still has access to the kingdom, and they steal or delete. I’ve had a couple of people delete the entire system, even the backup system, and they weren’t able to get it back and there was no alerts, there was nothing that triggered it until they realize that their systems were down. So, yeah, I definitely see a trend in that. And  there’s a lot of alerts set up that you can look for anomalous behavior, right. And I do see the market, we talked about it for quite some time, but I think there’s a lot more kind of profiles being done a lot of like, triggers, this person usually only downloads, let’s just say a gig a day and all sudden I saw him download 10 gigs. That’s out of the ordinary. Let me go check into that. So I do see in a lot of security operation centers, that they’re looking for that insider threat or that potential insider threat, and then I see the industry really trying to move to predictive. And trying to say, Okay, listen, you know, we see that, you know, there’s a certain like, an event that happened, like I said, if someone got terminated, and now they can profile that person, that person put his two week notice in and you can kind of profile that person, they kind of put a little extra security on that particular person. I know, some organizations are doing that as well. So they’re kind of focusing on that insider threat. Some companies have it where if you give your two week notice you’re done that day, other companies do not. So it just goes company by company, I would even say vertical by vertical. So when they do that, then they kind of put more of a watchful eye on that person, make sure he or or she can’t go to like Dropbox and download things or whatever the case may be.

LO: That’s very true. And actually, I think this was mentioned yesterday in the keynote, but what do you think about data privacy as it relates to monitoring employees for that kind of insight of cyber threat? I think it was yesterday at the keynote, someone was mentioning how GDPR has certain requirements nowadays, and there’s a gray area there as to what that means for monitoring and things like that, but it was an interesting point.

KG: Yeah it’s a tricky landscape because when you have bring your own device, but then you’re putting corporate assets on it or monitoring devices on it. What do you switch from? I’m at home now I shouldn’t be monitored, right? GDPR, CCPA, all those things now are coming out with consumer protection rights, which I definitely think are good. Because, if you have sensitive information on there, it should be protected and there should be safeguards to it. But kind of what your point is, if there’s personal data, I’m looking at my banking, should that corporation on my BYO device be able to see that? And I see the industry probably moving to some way to be able to turn off the monitoring or not capture that when you’re going to a home site or you’re not on the company domain. Right. I really see that that’s going to come up in the near future.

LO: Well, speaking of GDPR, CPA, what are you seeing in terms of privacy threats? I know, that’s something that’s come up a lot in the past few days in terms of what that means for consumers and how law enforcement and how regulators are approaching that issue. What  kind of the current state of privacy and what threats are we still going to face in the long run?

KG: Yeah, I really see a lot of, with all the fines coming down now, right, with GDPR, I do see a lot of more focus on having kind of assessments being done and risk-based approach put into a lot of their systems. And the ability to be forgotten in GDPR is really an issue because the companies have to go search all of their databases to go find if Kevin Golas’ name is anywhere in any record on any backup and he needs to be forgotten. You need to go erase all that. So that’s becoming a real burden on a lot of things. It’s very manual at task, and then you have to have a validation of it as well. So I really see that a lot of these privacy regulations are coming down. It’s good because making companies really focused on data privacy and encryption and making sure everything’s encrypted, everything’s safeguarded. Then there’s also other constraints because you have to go find this information anywhere it lies, and then get back to say that they have been deleted.

LO: And I know that there were kind of a lot of hoops that companies had to jump through when it came to GDPR’s original implementation, and I’m sure since then, and then I know also here in the U.S. there’s a lot of kind of state-level regulatory efforts, but not so much on a federal level. So that further complicates everything. Just seems to be a whole mess for companies.

KG: Yeah. Like you have companies that have to comply with New York DFS regulations, and then CCPA coming out and then GDPR. Do they have offices in Europe? There’s a lot of complexities that companies and there’s a lot of different interpretations of what they have to do and what regulation they have to do things for and what should they do? So yeah, I see it evolving. I see it becoming, you know, a lot more interpretations coming down. And I know a lot of companies – I was in a couple of conversations today, where people are asking us, like, if I got hit with ransomware, and it’s encrypted, is that a breach because it’s encrypted? And I said, Well, it depends if the hacker view transmitted copied any of that information, but it was it was from GDPR. And from these other regulations, people are now knowing about encryption and understanding the regulation, but then there’s always like, what if this and what if that and it’s tough to interpret.

LO: Right. Yeah, for sure. So I’m trying to think of some of the other kind of overarching threats that we’ve been discussing over the past few days. I know IoT security came up alot and that kind of fits into the regulatory topic we’re speaking about in that there’s not alot of regulation there.

KG:  It’s amazing. I chose refrigerator without the IoT, just because I wasn’t ready for it. Yeah, but again, let’s go refrigerator route. If your fridge has Bluetooth or Wi Fi that can be compromised. And now your fridge can be your weak link. Let’s say you bring your work computer home, or you bring your work phone home, you connect from your Wi Fi. Now the refrigerator hacked your Wi Fi, I can see your work phone here I can compromise either Bluetooth or Wi Fi just from the refrigerator. Right? So it’s amazing. Like I’ve done some network forensics at home, testing our products or whatever. And I didn’t even know my Xbox is connecting my kids. Bluetooth is connecting. Sometimes they have other Wi Fi devices and it’s amazing to see just that my home I had over 15 devices connected to my own home Wi-Fi. So now complicate that with corporations. And you bring all these different devices on they’re connecting, are they authenticated? Are they not authenticated? Are they a risk? Are they not a risk? And you have to identify that pretty quickly. So I think all of those things like refrigerator hacking you is amazing. But it’s reality.

LO: Right? Yeah. And I mean, like you are saying, It’s right there in the home too. And you think about, you know, Amazon Alexa and some other things, the Ring doorbell. A lot of these are already in many people’s homes. They’re in my home. So it’s close to home, I guess. But do you think that we’re going to see any sort of regulation for the IoT security issue? Or is that still years away at this point?

KG: I think we’re probably years away, just because, you know, to put encryption on these things, and to put like authentication on them, now they need to become like a small mini computer which needs to have electronics built into it, right, authentication devices. But I do think that there’s going to be a need for it. Because I think it’s going to become a problem when more companies start finding out what the root cause was. And they start saying the fridge hacked you or your Nest, or Alexa, but that’s going to drive that innovation, but it’s going to take years to do it.

LO: Right. Well, something to keep an eye on. So looking ahead to 2020 from your vantage point, what are some of the top threats or just trends that we’re seeing, or that you think will really start to increase in the coming year?

KG: So machine learning seems to be one of the main topics. But as we started getting involved in this ourselves, and we understand like machine learning in the cyber world means something different than it does in like tax mining, right? And machine learning in the cyber world is definitely needed because there’s millions and millions and millions of lines of logs that analysts need to get through. And it’s impossible to do that manually. And then I would say it’s impossible to without machine learning.

A lot of people are getting through like they think machine learning is going to be the answer. And it’s going to be more of a machine learning along with analyst and along the intelligence. Once they all come together to a good workflow, I think we’re going to come to a better place than where we are right now. Because we can’t get a SoC analyst or threat intel analysts cannot get to all of the data or the risks, they might have seen it the rest on Tuesday. They don’t get to it till a month from now, or it was triggered first on Tuesday, the same risk came up 14 more times, but they just didn’t have the time to get to it or as a lower risk. So when you have machine learning built in and threat intelligence, and you have those kind of like, streamlined and actually workflow it out, I think that will help analysts kind of pick that first breach before it becomes an actual systemic breach.

LO: Yeah, I mean, is that something that you’re seeing already? Or is it just going to kind of ramp up and 2020?

KG: I’m seeing a lot of people say that they do machine learning, but then when we start to interrogate that a little bit more, and understanding what we mean, when we do it, so then we kind of go, are you doing this? Statistical analysis is good, right? When you’re looking at trends saying, Okay, this is the highest destination IP, that’s a trend or that’s a statistical analysis. That’s not machine learning. That’s not but I think a lot of people are kind of flip flopping those terms. So true machine learning. It can get through a lot of data and can tell you pretty, pretty high score that these risks are high. A lot of people you hear about have a lot of alerts to get through. They say they have machine learning, but then at the end of the day, it’s really not. So I think a true machine learning will help a lot of analysts get through millions and millions of log lines into what their actual threats are.

LO: Yeah. Well that’s, that’s really interesting. And, Kevin, thank you so much for coming on to the Threatpost podcast today to kind of talk about some of the biggest threats that you’re seeing.

KG: Yeah, I appreciate it. Thank you.

 

Suggested articles