The PKI Guy Talks Security Intelligence with Roger A. Grimes

“PKI Spotlight has closed a blind spot that we’ve always had in the PKI industry. I love PKI Spotlight …”

– Roger A. Grimes

Q&A with Roger A. Grimes, Data-Driven Defense Evangelist at KnowBe4

Roger A. Grimes, CPA, CISSP, CEH, MCSE, CISA, CISM, CNE, yada, yada (his words) is the author of 13 books and over 1200 articles on computer security, specializing in host security and preventing hacker and malware attacks. Roger is a frequent speaker at national computer security conferences and was the weekly security columnist at InfoWorld and CSO magazines between 2005 – 2019. He has worked at some of the world’s largest computer security companies, including Foundstone, McAfee, and Microsoft.

Transcript

TPG: Roger, based on your years of experience in the cybersecurity industry and the many books that you’ve written about cybersecurity over the years, how would you describe security intelligence?

RG: You hear a lot about what security intelligence is from different people and sometimes I think it is so poorly done that I call it security unintelligence. But, really security intelligence is an understanding of what the most likely threats that are going to hit your organization. My definition of security intelligence is understanding – whatever your role is in an organization — how my company is most likely to be successfully attacked next. How are we being successfully attacked now and how are we most likely to be successfully attacked in the near future? It’s kind of like actuaries in the insurance industry. They have a really good idea of how you are likely to be injured in your life. They have these statistics like you are far more likely to die in your tub at home or falling off a ladder at home than you are to die in an airplane accident or a shark attack. I was amazed in the cybersecurity world that we really didn’t know. For 20 years, every time I went to a corporation and I talked to the IT security teams and CISO, they never had the answer. If they couldn’t give me the right answer then how could the organization appropriately and efficiently focus on the right threats?

A lot of people blame the company’s president or the CIO or the CISO and say, “They’re not giving me the right resources.” But, if you’re not communicating to senior management about what the right problems are then how can they give you the right resources? How can you put the right resources in the right place against the right threats in the right amounts? You can’t.

TPG: When you’re sitting down with an organization and you can clearly see that they don’t have a really focused data-driven approach to their security intelligence, how do you explain to them what they should be doing from a data-driven approach to do a better job of addressing risks in their environment?

RG: These days it is pretty clear that the top two reasons why almost any organization is compromised is unpatched software and social engineering. Social engineering is involved in about 70% to 90% of attacks. Unpatched software is involved in about 20% to 40% of attacks. The third thing has changed over time. These days, because of ransomware, it’s password guessing and password/hack crash attacks. Those are the top reasons for compromises for most people. However, you need to figure out what it is for your organization. Find out how something broke. How did the hacker get in? I came up with a list of 10 -12 ways for how things break that I’ve been tracking for more than 20 years now.

I liken it to how you have a house that thieves keep breaking into. How are they getting into the house? Ransomware is not your biggest threat. Ransomware is the outcome of your biggest threat. How did ransomware get into your system in the first place? The biggest thing about a data-driven defense is to try to recognize how things are breaking in and concentrate on closing down those avenues of attack.

TPG: Why is security intelligence so important to organizations today?

RG: The reason why it’s important to understand what I call the data-driven nature of security intelligence is that you ultimately understand that firewalls, VPNs, and anti-virus software don’t really work. Almost every organization has those things. What they don’t have is the focused approach of looking at what the data is telling you. Usually, two to three things represent 99% of the risk. If you don’t focus better on those two to three things then you’re probably not going to keep hackers and malware out. But, if you’re able to focus on just those two to three things then you’re far more likely to keep them out.

TPG: One of the things that our team at PKI Solutions advocates to customers is around the idea of moving the most affected and devastating accounts onto stronger security. Is that kind of an example of focusing on one or two problems and more of a data-driven approach?

RG: Yes, that is a great approach. I love the beauty of PKI when it is managed appropriately. But, there’s a lot of easily phishable MFA. More than 90-97% of MFA out there is easily phishable and people are shocked. Something that’s not easily phishable is smart cards. Smart cards are actually a fairly secure MFA solution that is not easily phished.

I’ve written a book called “Hacking Multifactor Authentication” and I’ve written probably more than 100 articles about MFA over the years out of the more than 1,200 articles that I’ve written to date. You can find a lot of good information in my book.

TPG: Do you have any great success stories about customers who you’ve worked with where they were doing a haphazard approach to security and you were able to talk some sense into them?

I’ve written more than 13 books but my book about “A Data-Driven Computer Defense” has sold like 40,000 copies now. In my book, I’m literally saying you should concentrate on the ways that you’re most likely to be exploited. It’s the simplest sentence that anyone could say to the entire world. But, I’ve had people tell me all the time (after reading the book) that they’ve gone from being attacked all the time to having less attacks or no attacks. I have CISOs and people that are new CISOs saying that it has changed how they do cybersecurity and that does make me feel better in my heart that I’m helping some people. I hope that I wake people up and they say, “Ah, yeah that makes sense!” What are the most common ways that organizations are attacked? It’s typically social engineering, unpatched software and password issues. The average company spends less than 5% of their budget to fight the 99% of the risk. It’s just crazy. You need to re-focus on data-driven ways to defend your organization.

If you’re monitoring and measuring the attacks over time then you’ll start to see trends. You might see that email worms or viruses are dying off but USB key threats are coming up. It’s good to pay attention to increasing trends. That way you’ll do a better job at mitigating that particular threat. By monitoring threats in an ongoing way and seeing trends, it allows you to have earlier and quicker response.

TPG: Should organizations focus on gaining security intelligence from a data-driven approach? Do you think that’s kind of a foundational approach to everything downstream from what solutions they should implement to budget to everything? Tell me more about that.

RG: Yes, a data-driven approach should drive everything – solutions, budgets, accountability, metrics, everything. Most companies today would say social engineering is one of the biggest problems and unpatched software is a big problem too. Then they’ll put out a training newsletter to teach people about social engineering. Like, you need to watch out for phishing emails. Then, the next month they’ll focus on a different topic. No. If you’re focused on doing it right, then your newsletter should be talking about the same two to three topics like social engineering again and again every month. Data should drive everything.

TPG: What are some of the other terms that some organizations might use to mean the same thing as security intelligence?

RG: Threat intelligence is one part of it. Resiliency is another big term that I’m seeing. It really should be IT Security Lifecycle management. In the global scheme of things, there are about 10 to 12 ways that people break into systems.

If you’re trying to decrease risk, you have to be like an insurance actuary and look at the odds. That’s what we need to do in the computer security space. We need to look at the data about how you are most likely be compromised – externally or internally – and then work at focusing on those solutions. The days of having a gut feeling are gone. You need to back it up with data.

TPG: Do you think that security intelligence and security posture management should be done in an ongoing, diligent manner to make sure your systems are configured and operating in a way that will prevent the attacks that you’re talking about? That’s what we were focused on when we developed PKI Spotlight.
RG: Yes, it’s very important to have ongoing data. PKI Spotlight has closed a blind spot that we’ve always had in the PKI industry. One of the problems with PKI is that if you install it and it’s working well then it almost becomes invisible like background noise. Then, when things start to break, there’s no visibility. I love PKI Spotlight and the idea that you’re saying, “Hey, let us be your heartbeat checker. Tell us what is important to you and we’ll also monitor indicators that we know will help identify a healthy or an unhealthy PKI.“ That way IT teams don’t have to aggressively be monitoring their systems all the time. Also, there isn’t an enterprise PKI person that I know that doesn’t want better management of those software tools from Microsoft.

TPG: Are there areas that you would say there are particular blind spots for organizations? What do organizations struggle with the most as they’re trying to come to terms with their security intelligence?

RG: Overall, organizations sometimes don’t focus on the right things. If you don’t know what your inventory is for your software, hardware, and your data then there’s a problem. Most organizations don’t really have a good idea of where their data is stored. If you don’t know that then how can you protect your data? It’s amazing how crucial having a good inventory is to an organization’s overall security.

TPG: Compared with 5 years ago, what are organizations doing better now and what are they getting right?

That’s a tough one. I’ve been doing this for 32 years and it seems pretty bad and pretty broken. I think that we have more information and more tools than ever before. You have the opportunity to make a better defense than years ago. Let’s just take PKI. Up until you guys at PKI Solutions developed PKI Spotlight, the best that people had to work with was PKI View and some basic scripts or macros that somebody who really didn’t understand PKI well wrote. On the positive side, there are better tools that you can buy that will help organizations do a better job than some in-house guy who’s being asked to write scripts. But, you have to take advantage of these tools. You have to have the right focus. I love the term cyber hygiene where people are starting to run tools and figure out things. Passwords and inactive accounts are probably better monitored than they used to be. But, unfortunately, because people are distracted by looking at too many things that distraction sometimes allows the attacker to break in. The opportunity to do better monitoring and focus is there if you take advantage of the new tools like PKI Spotlight that are available now.

TPG: Gartner talks about this interesting concept of a cybersecurity mesh architecture which basically says use the best-in-class solutions and then have a single pane of glass where you can view your system. Do you think being in this new cybersecurity mesh architecture hybrid world is going to pose new cybersecurity threats that challenge what people are used seeing today?

RG: It definitely increases the complexity and you’ve got to have the tools that have that single-pane view of different types of products. But even with increased complexity, people will ask “How are most cloud products compromised?” I can tell you, it’s social engineering, unpatched software, and password issues.

TPG: Would you ever ask a customer to leave a particular solution because the only thing it offers is an SMS multi-factor authentication? Is that permissible if there are no other options?

RG: A common question that I get asked from IT teams is if they should be on an SMS-based MFA versus passwords. It’s not a clear thing. Some organizations have been compromised more on SMS-based MFA than they have using passwords. The U.S. Government has been officially saying don’t to use SMS-based MFA since 2017. There’s something to be said there.

TPG: What’s next for Roger Grimes? What’s the next book you’ve got coming up?

RG: I’m writing my first fiction book. Writing fiction is the hardest thing I’ve ever done. I’ve had this story in my head for 10 years and it’s got some computer security stuff in it but it’s really more based around human-based interest. I know I have a really good story and we’ll see if I can write it. These days, I’m focused professionally on pushing this idea of people needing to pay attention to a better data-driven defense. I’m also pushing the idea that people shouldn’t be using easily phish-able MFAs. My career goal is to make the internet a far safer place to compute. We know how to make the internet safer than it is today. The problems are not technical. We have the protocols and we have the technology. But, it’s convincing people to agree on how that should be done.