Abigail: Welcome to the second series of our podcast, The new realities of cyber security. I’m your host, Abigail Wilson. Each episode of this podcast we’ll be inviting along some of our colleagues who are each experts in their fields to discuss what they do here and what they’re focusing on at the moment in the ever changing world of cyber security. Today’s conversation is centred around cyber breaches and why this remains a critical talking point for many of our clients. Our guests today here are Kris McConkey, who leads our cyber threat operation services and Hamish Cameron from our crisis team. Today we’ll be focusing on answering a core question, why are companies still suffering from breaches? Kris and Hamish, thanks for joining us today. Could you tell us a little bit about yourself and a little more about how you work with clients, either responding to breaches or looking to reduce their exposure to them? If I can start with Kris?
Kris: Sure thing, thanks Abi. Thanks for having me. So, the set of services I look after, we class them as cyber threat operations but that’s basically a set of technical services that helps clients either detect and investigate and respond to breaches or help them actually prepare in advance of them so they’re a little bit more ready whenever the technical side of breaches happens. The other side of that, partly in the preparatory side of things as well, is actually running a team of ethical hackers that breaks into client networks so they can figure out where the vulnerabilities are and fix them before the bad guys do.
Abigail: Great, thanks. And Hamish, over to you.
Hamish: Thank you. Hi Abi, hi Kris. So, the crisis team, our main proposition is to run exercises, scenario exercises with management and executives to draw out issues and help them manage those issues. And then when they have issues, when they do have a breach, help them apply some structure.
Abigail: Great, thanks both. So, there have been several high profile examples of cyber breaches in the news recently, often critically impacting businesses. From your recent work with your clients, could you tell us a bit more about any key trends you’ve observed while working in breach response? Kris, if I can start with you?
Kris: Yeah, sure thing. So, across all of the incidents that we responded to over the last probably twelve or eighteen months, we did a little bit of research and tried to pull out some of the key themes about what the actual root causes were, and generally it came down to a few pretty obvious things. So, there was a lot around legacy IT infrastructures, stuff that had just really been forgotten about, so clients weren’t keeping it up to date and it wasn’t patched. People had actually in some cases forgotten that systems were even there. So nobody was managing them and as a result the inevitable happened. Somebody found out a way to exploit a vulnerability that hadn’t been patched, get in and start moving around the network from there. But there’s also a whole lot of other organisational bits and pieces, so the fact that there’s actually not much focus on, for example, security monitoring and there are blind spots within organisations, that they might actually have great visibility on what’s happening in a specific area of the business but actually much less in others, so if something bad happens there they can’t see it. But the reality is as well, the bad guys are typically getting smarter, they’re typically creating new tools to bypass all the latest security controls as well. In many cases, whenever they get a foothold in an organisation, companies don’t have the right kind of detective technologies in place to actually figure out that there has been a breach and stop that before it becomes or causes some kind of impact.
Abigail: Great, thanks. And Hamish, are there any key trends or takeaway points that you’ve observed from your recent work?
Hamish: Yeah, so, recently I’ve noticed clients leaning towards designing scenario specific plans for their business to follow, not just for their IT teams to follow. And we’re seeing in big, complicated organisations, designing, implementing tactical teams to support the executives who are not necessarily comfortable with making decisions against a cyber event, these tactical teams to take those decisions on their behalf.
Kris: If I can chip in one thing on that, it’s quite similar to one of the things that we’ve seen probably a few organisations struggle with and actually the ones that are very well rehearsed in terms of dealing with incidents typically treat this as a little bit almost like muscle memory. But it’s the translation between some of the really technical stuff that happens during an incident, the malware analysis, the network forensics and a whole bunch of the proper techy stuff through to what a board actually needs to hear, what a crisis and comms team needs to hear about an incident. So, a forensics guy saying “hey, we found artefacts of plug X malware in a domain controller from 2016”, what does that actually mean to the business and the exec? And what do we tell the regulators and what does the ICO need to know? Being able to translate that to something that actually has a meaningful impact to the execs, as in we’re going to have to take the network offline for three days to do a global password reset across forty thousand users in thirty countries so we can’t trade online for those three days, is actually something the board understands rather than the really techy stuff and that layer you’re describing in the middle is sometimes really well placed to make that translation.
Hamish: Yeah, almost as a bridge between the IT and the business and technical and strategic.
Abigail: And that’s a great point. Kris and Hamish, you look at our clients’ challenges through different lenses, the technical and the strategic. Could you each tell me more each perspective what you think the deeper root causes to this are? Why ultimately are so many organisations suffering such a huge fallout from cyber breaches?
Kris: So, if we look at any breach really, there is almost always a time lag between the initial intrusion into a network and when the bad guys get what they came for, i.e. the data they plan to take out of the network, the credit card information and transaction data, whatever it happens to be, and in some cases that can be a year or longer. In fact, in many of the cases we’ve investigated over the last twelve or eighteen months have been longer than a year. So, there’s this huge window that victims have to actually find and stop a breach or intrusion before it becomes a crisis effectively, whenever they’ve lost loads of information, having to start telling regulators, and so on. And a lot of the reason for the technical side of things not being contained earlier is really a lack of visibility and a lack of control in the environment. So, two really quick things, there is a phenomenal set of guidance from the Australian Signals Directorate called The Essential Eight which is basically eight things, they’re not all easy to do but they have a disproportionate impact to an organisation’s ability to stop bad stuff happening. Most of our clients haven’t been able to do those eight fully but they’re phenomenal and actually free things that you can do. And then once you’ve got those eight in place, having a bit of monitoring across the top of it so you can actually see where things have bypassed those controls, that would actually give a lot of clients a huge technical leg up on where they are at the minute.
Abigail: So, those are covering the technical failures. Hamish, what would you say about the more management and strategic side of that?
Hamish: So, in addition to the technical piece, the fact that these data breaches are still classified, self-classified as crises is a really interesting point. So, crisis is quite an interesting term itself.
Abigail: Actually, that’s a great point. As you work inside our crisis team, I have a particular question for you.
Abigail: Is there a difference between a breach and a crisis?
Hamish: Sure. So, I would suggest a breach is a type of crisis if the company suffering from the breach is not adequately prepared to manage the event with confidence.
Kris: I think that’s really important. So, we have seen very similar types of incidents at different organisations, one organisation has handled it beautifully and they’ve rehearsed for it, it’s like muscle memory to them, they take it in their stride. Exactly the same thing at another organisation handled really badly, unprepared for it and as a result a huge crisis fallout from it. So, I think a lot of this comes down to the prep and rehearsal side of things.
Hamish: Yeah, particularly the exercising piece is a really useful tool to draw out. So, do scenario exercises, talk through them, walk through them, and draw out the issues and challenges so you can fix them during peacetime. We often see clients invite the regulator to the exercises just to observe and it’s those exercises, those clients that build really great relationships with the individuals within that regulator.
Abigail: Definitely. So, a lack of preparedness really means that a breach can easily turn into a crisis for a client.
Hamish: Yeah. So, it comes down to perception, it all distills down to...
Kris: Some of it is personalities as well. It’s fascinating. I’ve watched some of the stuff that you guys have done with clients and the one thing that is always amusing is whenever you get the executives together who would be involved in a proper crisis and seeing which of them have a completely disproportionate impact on the whole decision making process for they respond to things and actually they never really realise how much of an overbearing influence they have on some parts of the decision making process until you go through the wash-up with them. And you’re like, why did you make this terrible decision. Everyone is like, oh well actually it was this one person and we didn’t really think this was a bad decision at the time, we just let them go with it. So, all of that, understand the personalities and the profiles and how people gel together in an incident is massively important.
Abigail: Definitely. And looking to the future, if we anticipate that breaches will continue to remain a risk for our clients, how do they become more proactive and prepare for the worst? Are there steps that they can take to do that?
Hamish: So, I think there are some simple steps. So, Kris has alluded to eight basic steps founded in good practice technically that clients can take. There are definitely thematic findings that we can put our fingers on when we hold exercises. Every couple of weeks we sit down with a different executive committee, run a similar breach scenario, worst case breach scenario, and almost in every instance there isn’t, so to Kris’ point, the dynamic piece isn’t so clear, the person in charge doesn’t run the meeting like a crisis meeting, they run it just like a standard meeting, and everyone shares their views, and actually you need a character that’s a real leader, can control the room and also skilled in listening and distilling down issues and applying these facts, understanding the facts, getting on to the issues that arise from the facts, getting on to the action to deal with the issues and running it like a crisis. It’s a really simple thing that, a little bit of training for the right leaders.
Abigail: And it’s definitely about having the right skills as well in place.
Hamish: Yeah, so the right personalities and there’s a lot of pre-work that clients can do. So, knowing their data landscape, knowing who their key stakeholders are, who the regulator contacts are, who their internal relationship owners are, and having particularly in the bigger, more complicated organisations, essentially a crisis structure so it’s clear who the individual decision makers are, at what point they’re engaged, and all the other good, generic crisis…
Abigail: So, having those responsibilities mapped out in the event that you would need to then initiate them in response to a crisis or a breach?
Hamish: So, yeah for a breach it comes specifically to one of the critical decisions that will need to be made and when and who is making those decisions. So, just pre-working that piece gives the team confidence.
Kris: Yeah and if I just rewind thirty seconds, the point you made about the skills bit being important, the policy and the process behind this is important to have documented but the skills obviously are acquired through practice. No one becomes an expert in handling crises without practice and having been through it. So, again, just the experience of working through this with the team that’s going to be involved in this is hugely important.
Abigail: Definitely. So, it’s all about being proactive as well as reactive in the event that you need to. I’m wondering, based on your recent work, do you have any predictions for the future? What do you expect to find working with clients in the future?
Hamish: Sure, so, I think we’ll see the role of the CISO, the technical leader, grow in prominence and decision making autonomy, given how grey and complicated a cyber event can be. And on the other hand how clear the regulation is and easy to interpret. I think we’ll see breaches continue thematically as a crisis for many, many years to come and only when clients, companies devote the necessary exercising, investment, training and relationship, internal relationship mapping and development will they feel comfortable enough to call it breach management and not crisis management.
Kris: There’s two things from me. If we look at the general trends that bad guys are moving in or the direction they’re moving in at the minute, they’re moving up the value chain. So, we’ve looked at Financial Services targeting over the last few years and if you go back even five years it was focused on consumer bank account usernames and passwords, so for you and me and our home bank accounts, then it moved into commercial and corporate online banking and then up into more the central banks, and if you follow that to its logical conclusion it will probably continue going up the value chain of Financial Services into some of the clearing houses where actually you get one group that’s able to get into those networks and actually have a really significant impact in either being able to disrupt information flows that a lot of trading system rely on or be able to conduct huge frauds off the back of it. And then the second thing that we’ve seen a lot of in the last twelve months is the erosion of trust somewhere in the chain so you’ve got outsourced bits of the supply chain like IT managed service providers which we’ve seen some groups target and actually getting into one of those then gives them access to all of their managed service provider customers. We have the software supply chain which we saw with NotPetya and the CCleaner attacks, and then even recently we’ve seen some reporting on hardware supply chain and that being targeted as well. Obviously it is a thing, I have my own views on how reliable the recent reporting is on that specific issue, though.
Abigail: Do you think the amount of breaches we’re seeing in the media is driven by new regulation? For example, GDPR requires all users impacted by a breach to be notified. Do you think we’ll see the airtime given to breaches increase in the future, partly due to regulation?
Hamish: Yes. I think we will see the airtime given to breaches increase in the future. I think interestingly there was probably a bigger regulation gap than was anticipated back in May and I think we’re probably seeing a bit of a cultural shift in respect of privacy, in respect of data. What do you think, Kris?
Kris: Yeah, I think that’s fair. I think we’re definitely going to see the amount of reportable incidents going up. A lot of people are still trying to figure whether some of the breaches that might have started actually pre-GDPR coming in should be reported or not reported and how they should be reported, so there’s a lot of people still finding their way in this stuff. We’re certainly seeing an impact on some of the managed detection response services we provide where we’re being asked now whenever clients find out about breaches or we tell them about a breach to use some of the technology and the visibility that we have in clients to help them figure out in that first seventy-two hour window precisely what has happened and reduce the time frame for the investigation so they can actually get some notifications out quicker.
Abigail: Definitely, GDPR has certainly triggered a shift in attitudes towards data security and of course to breaches themselves, and many clients might not realise that GDPR is of course also about the technical controls that you have in place. It’s not just about what you do in the event you identify a breach and focus on the more strategic business decision making side but also the technical response side. That’s great. We’ve certainly covered a lot today. Thanks both for joining us again. It was great talking to you about this.
Kris: Cheers Abi.
Hamish: Thank you.
Abigail: Thanks for listening. Remember to subscribe to our series so you don’t miss out on our future episodes. And if you have any questions about what we do here in cyber security, please reach out to our guests on LinkedIn or send me a message on Twitter @securityswan. In our next episode we’ll be chatting about what we’ve termed as the basics of cyber security and why it’s important to get them right.
Cyber Threat Operations - Manager, PwC United Kingdom
Tel: +44 (0)7841 803680