Women Leaders in Cybersecurity: Cybersecurity 2021
Judith Germano: Hello and welcome to the fifth annual Women Leaders in Cybersecurity Conference. Since 2016, we have brought together leading women from a multi- Judith Germano: interdisciplinary perspective to talk to us on critical issues in cybersecurity with strong backgrounds in government, academia, business, law, policy, and security. So welcome! This year, of course, it's a very different event, and indeed this year has been a very different, Judith Germano: our event is very different this year, I'd say, and this year has been a very different event. I think you got that, you're with me. It's been a hard year, 2020. Judith Germano: We are so thrilled that we could meet, even in this different way, and one benefit is it means that we've been able to bring together so many different people from all over the country.
Judith Germano: We're going to start right now with our Dean of the NYU Tandon School of Engineering, Jelena Kovacevic, who has an amazing background, you should take time and read her bio. Judith Germano: But I will just say she is an amazing woman with technological expertise, leadership expertise, and cybersecurity know-how. Jelena, thank you for joining us today, Dr., and I kick it to you. Jelena Kovacevic (she,her,hers): Thank you, Judi, so much. Good afternoon to everybody, to wherever you are. I'm excited to see 259 participants, this is amazing. As Judi said, this is the fifth annual Women Leaders in Cybersecurity event, Jelena Kovacevic (she,her,hers): and I want to take a moment to thank the entire Center for Cybersecurity, our colleagues at NYU Law School, my fellow faculty at NYU Tandon, and distinguished fellow Judi Germano for serving as program chair. Jelena Kovacevic (she,her,hers): I should also note that while this iteration has been going on for five years, the Center for Cybersecurity Jelena Kovacevic (she,her,hers): has been running programs, encouraging women and girls, meaning of all ages, to enter cybersecurity. Jelena Kovacevic (she,her,hers): And so today's event has three major goals: to bring together industry thought leaders to discuss critical cybersecurity issues from technological legal policy and business perspectives, Jelena Kovacevic (she,her,hers): to provide women experts in the field with a platform, reflecting our own efforts to increase the number of women and people of color in the field, Jelena Kovacevic (she,her,hers): partly by increasing our presence in cybersecurity top leadership, whether in panels on organizational teams in the boardroom and the classroom, Jelena Kovacevic (she,her,hers): which, by the way, will help us reach our third goal is, which is to inspire all women to enter and advance in cybersecurity, Jelena Kovacevic (she,her,hers): in which professionals are more than twice as likely to be men - not here, as you can tell - and steam fields through the inspiration and advice of the role models who speak at our events over the years.
Jelena Kovacevic (she,her,hers): Clearly, there has been progress in advancing women's voices and leadership roles in cybersecurity, but also clearly more work needs to be done. Jelena Kovacevic (she,her,hers): The number of cybersecurity professionals for women or from underrepresented communities has increased, Jelena Kovacevic (she,her,hers): but we still need more women in the field and salaries overall are on average below those of men. And also, while the Covid pandemic has significantly impacted everyone, Jelena Kovacevic (she,her,hers): studies show that the loss of jobs and harm to careers have been a harder hit for working women than men. Jelena Kovacevic (she,her,hers): We know that diverse teams have better success in handling and responding to crisis, including cybersecurity events, Jelena Kovacevic (she,her,hers): so conversations and programs, like the today's, need to continue and I'm really, really grateful to all the panelists and number of amazing women for joining us today to share their expertise. Jelena Kovacevic (she,her,hers): We all know and have felt in fact from this unprecedented, been a crazy year in many ways, the fact that Covid has been a global event has brought us closer together. Jelena Kovacevic (she,her,hers): And during this global crisis, cyber criminals in cyber incidents have continued to persist and in fact, have increased, Jelena Kovacevic (she,her,hers): and cybersecurity remains an essential priority and key element of any corporate risk management strategy, which is why this is one of our Tandon's areas of research excellence, and it spans multiple departments, and in the case of Center for Cybersecurity, schools and disciplines.
Jelena Kovacevic (she,her,hers): Evolving technology, such as 5G wireless, digital manufacturing, healthcare, and many more, are shaping how we leave communicate and work, but they're also opening up vast new threat landscapes. Jelena Kovacevic (she,her,hers): It is increasingly evident that cybersecurity must be prioritized as an aspect of our everyday lives, beating business decision-making or as a key component of enterprise risk management and strategy. Jelena Kovacevic (she,her,hers): After years of being relegated as an IT issue, cybersecurity is now taking center stage at organizations across industries and in government. Jelena Kovacevic (she,her,hers): At NYU, we are training and supporting cybersecurity leaders through a number of programs, such as our Masters in Cybersecurity, Risk & Strategy Executive degree program, Jelena Kovacevic (she,her,hers): and that's a joint collaboration between the NYU Tandon School of Engineering and NYU School of Law, our Cyber Fellows online program, and and the myriad cybersecurity programs within Jelena Kovacevic (she,her,hers): our academic offerings across the school, and it's approved that the diverse and interdisciplinary approach to critical issues is is better than a narrow view. Jelena Kovacevic (she,her,hers): And our interdisciplinary panel of experts today will discuss ways to better understand and address a wide variety of cybersecurity issues and threats and share tools, technologies, and solutions to address them.
Jelena Kovacevic (she,her,hers): For example, ransomware attacks can continue to rise at alarming rates, including in hospitals, causing a negative impact on public health. Jelena Kovacevic (she,her,hers): Data loss from intellectual property theft, including efforts to obtain and manipulate vaccine research is a critical concern, Jelena Kovacevic (she,her,hers): and inadvertent disclosures and insider threats remain serious problems. We also need to be debating at the highest levels technologies, Jelena Kovacevic (she,her,hers): that while enabling, enabling insights into personal health, public safety and convenience (such as surveillance tools for law enforcement, Jelena Kovacevic (she,her,hers): contact tracing for Covid management, and facial recognition tools, to just give a few examples) have a real potential to compromise privacy foster bias and even compromise our institutions. Jelena Kovacevic (she,her,hers): Meanwhile, the global landscape of regulations and liabilities continuously involved to make cybersecurity, risk management, all the more challenging.
Jelena Kovacevic (she,her,hers): These are but a few of the topics today's panel will discuss. To get cybersecurity right requires an interdisciplinary approach. Jelena Kovacevic (she,her,hers): With valuable input from and collaboration among engineers, technical experts, legal advisors, business strategists, and policymakers, Jelena Kovacevic (she,her,hers): today we bring you such an interdisciplinary panel as we look forward to a new year hope for a healthier and safer and much more fun than this one. Jelena Kovacevic (she,her,hers): So let me just close by again to thanking Judi, everybody associated with the Center with Cybersecurity, Jelena Kovacevic (she,her,hers): my fellow Dean at the law school, Trevor Morrison, and each of you for choosing to value the need for increased leadership from women in cybersecurity Jelena Kovacevic (she,her,hers): and realizing that diversity is integral to success in any, and in fact, all enterprises. Thank you again and I wish you a wonderful, wonderful time. Jelena Kovacevic (she,her,hers): Judi, over to you.
Judith Germano: Thank you so much Dr. Jelena. We are thrilled to have you. And appreciate your, your framing and your describing of Judith Germano: our conference and our joint collaboration between the School of Engineering, The School of Law, and really collaboratively recognizing the interdisciplinary work to be done and the expertise and the need for Judith Germano: encouraging the the existing women leaders and the up and rising future women leaders, as well as girls who are considering cybersecurity and Judith Germano: other related areas on for careers because we really do need more more of them, more of us, in it. So thank you for joining us. Judith Germano: And I think to to the Dean's comments, it's an incredible example of how cybersecurity is at the front of our critical concerns, Judith Germano: for the nation for our business and for ourselves personally was the disconcerting news last night regarding the attack on FireEye, a global leader in cybersecurity defense, Judith Germano: that an organization to whom many in government and the private sector turn to ensure that their systems are safe and the Judith Germano: the news reports that a very sophisticated nation-state actor stole the very hacking tools that FireEye uses to test vulnerabilities and for its customers. So it remains to be seen whether these tools will be publicly released, as happened in the Judith Germano: 2016 NSA breach, or if they will be used to attack others, or perhaps both. Judith Germano: But it really underscores on a day-to-day basis, the evolving and critical issues that come up, Judith Germano: and I am honored to be part of a dialogue and conversation on these issues with some of the leading women in the country today, and through our Women Leaders in Cybersecurity programming at NYU for the ability to do this programming. I want to thank our sponsors,
Judith Germano: in addition to our new NYU Center for Cybersecurity and the School of Law and School of Engineering, our Women Leaders sponsorship is Judith Germano: supported very much by Craig Newmark Philanthropies and the William and Flora Hewlett Foundation who make that possible. And today's panel discussion is also sponsored by Alston & Bird, Judith Germano: a law firm who this year launched the AB Women, Women in Cyber Network to bring many of us together, who are working as the lawyers in the field and making sure that Judith Germano: the leading thinkers, and and future leaders are talking to each other about these issues again from our companies from our government roles and collectively. So we have Judith Germano: a wonderful lineup there today and I see my my speakers with me, I'm going to introduce to you. Judith Germano: We have with us Jen Buckner, who is, and by the way, you should read their bios because all these women are amazing. I'm just going to give the top line stuff that doesn't even do justice to
Judith Germano: their amazing careers, but Jen Buckner with us is a Senior Vice President Technology Risk Management at MasterCard, a retired Brigadier General of the US Army, highly decorated, Judith Germano: a member of the Board of Directors of the US Express Enterprises, and the former Deputy Commander of US Army Cyber Command and the former Director of Cyber for the Electronic Warfare and Information Judith Germano: Operations for the US Army. So welcome, Jen. We also, we also have Caroline Krass, who is the Senior Vice President and General Counsel for General Insurance at AIG, and the Deputy General Counsel for AIG. Judith Germano: Caroline is the former General Counsel of an organization known as the CIA, yes, Judith Germano: and forming Acting Assistant Attorney General Principal Deputy Attorney General for the United States Department of Justice, former Special Counsel to the US President for National Security and Associate White House Counsel in the Executive Office of the President. So welcome, Caroline. Judith Germano: We also have Kim Peretti, who is an attorney at Alston & Bird in the private sector and CO Chair of the firm's Cybersecurity Preparedness and Response Team and the National Security and Digital Crimes Team.
Judith Germano: Kim worked as a former Director for the Cyber Forensic Services Group at PWC and is a former Senior Litigator at the Department of Justice in the Computer Crimes and Intellectual Property Section, and thanks to Kim, she is the founder this year of the AB Women in Cyber Network. Judith Germano: Debbie Plunkett, we have, who sits on a number of different company boards, including BlueVoyant, Nationwide, JC Penney and CACI international. Judith Germano: She is a member of the Board of Advisors to the New York State Cybersecurity Advisory Board, a Principal of Plunkett Associates, and the former Senior Executive and Director of Information Assurance at a company or an organization, again, with its initials, the NSA. So welcome, Debbie. Judith Germano: We also have Alicia Lowery Rosenbaum, who is the Vice President Associate General Counsel for Cybersecurity, Technology, and Trust at Salesforce. A former Senior Attorney at Microsoft and a fellow on the Leadership Council on Legal Diversity, welcome Alicia.
Judith Germano: And Rinki Sethi is with us as the Vice President and CISO of Twitter. News this week was Rinki, was recognized as one of the top global CISOs, global in the world. Congratulations on that, Rinki. Judith Germano: And she also is a former Vice President of Information Security at IBM. Judith Germano: And Myrna Soto is a Chief Strategy and Trust Officer at Forcepoint, Myrna also sits on a number of corporate boards, including CMS Energy, Consumers Energy, Spirit Airlines and Popular Bank, which you may recognize as Banco Popular or Popular Bank, so welcome Myrna. Judith Germano: So what a lineup. I did. And again, those are just the highlights. You can go back and read their actual bios with all the all the good detail in it.
Judith Germano: But we have today in a panel of experts to show diverse perspectives from government and industry and on a lot of work. Judith Germano: I read something interesting from Forbes, a writer had said that in his 20 years of covering cybersecurity issues, he's remarked by how how often things are the same topics, but then also astounded by how different Judith Germano: the issues can be. And I think that that's a key point because a lot of what we may discuss today may be Judith Germano: similar topics and concerns that emerged, year after year, but there are new and innovative twists and surprises and technologies that impact how we have to Judith Germano: worry about those things and work to address them. So what I'd like to do as we happily put 2020 behind us and look ahead to 2021,
Judith Germano: turn to each of you and ask what are the key cybersecurity issues that you would say are front of mind, just a quick kind of hit off and then we'll spend our time together drilling down into some of those topics. So, Kim what what's on your mind? Kim Peretti: Or just to God three quick things. One is endpoint management. Given the, the challenges we have with work from home and the changing landscape around change, Kim Peretti: work from home security in our perimeter, I would say endpoint management is one. The second one, probably the second two, three, four: ransomware ransomware ransomware. I know we're going to Kim Peretti: going to talk more about that, but we have been living and breathing on those, you know, attacks with our clients and unfortunately, Kim Peretti: unfortunately, the way that they're changing, the evolving nature of the attack is making those more difficult to to to deal with and respond to Kim Peretti: as number two. And then as number three, global cybersecurity incident response given the changing, given the changing landscape of laws and notification requirements outside the United States.
Judith Germano: Thank you Kim. Myrna, what's on your mind? Myrna Soto : Oh, if I only had more time. Myrna Soto : Thank you, by the way, for the introduction and it's a pleasure to be here with every single one of these just distinguished panelists. What's top of mind for me, Myrna Soto : going into 2021, is the proliferation and the need to focus on insider threats we have seen a number of very strategic campaigns to infiltrate companies as trusted insiders specifically during this Covid-19 Myrna Soto : pandemic crisis, where we've been hiring and onboarding people without ever meeting them in person. In some cases, Myrna Soto : I would agree with Kim that ransomware is top of mind for me as well, but just slightly different, and it's really what has been percolating up as ransomware as a service. Myrna Soto : In the dark space the ease of use, for lack of a better term, to acquire code that would penetrate organizations, Myrna Soto : the use of artificial intelligence and machine learning for automated incident response, another complimentary aspect to Kim's Myrna Soto : earlier comments. And last but not least, the reality that we do not have a perimeter any longer. This is the unbound enterprise,
Myrna Soto : the fact that we have such a huge amount of individuals working remotely and the number of companies that were not necessarily prepared to have that type of shift happen as quickly as it did. Judith Germano: Thank you. Debbie, I'm going to turn to you, what what is front of mind as we leave 2020 and look forward to 2021? Debora Plunkett : Thank you again, Judi, for the opportunity to participate in this forum among these great cybersecurity women.
Debora Plunkett : Well, first of all, I just want to get to 2021, I don't know about anybody else, but I'm about that with 2020 for sure. Debora Plunkett : But for me, a couple of things you know as as bad as it has been throughout the particularly Covid related this year. Debora Plunkett : There are some things that we have benefited from and learned from and I think their business operations will not be the same as a result.
Debora Plunkett : And I think so, the, the ability to be able to take what we have learned and had to adapt. We think about, you know, Zoom was not a verb in the spring Debora Plunkett : of this year, and now it is and the way companies have had to adapt Debora Plunkett : to put appropriate security measures in place so that work from home could be not only possible but feasible in and done in a secure way. I think we have to continue to keep our eye Debora Plunkett : on that ball, because as we conquer Covid, I believe we will have learned that we still don't all have to go to work.
Debora Plunkett : In order to go to work, we can actually work from remote locations and I think we're going to see an uptick a continued Debora Plunkett : use of work from other locations. So we have to make sure we're applying the right technologies to make sure that that's secure. The other is, Debora Plunkett : you know, it's related to the ransomware comment that already has been stated that also has already been shared, but more in the context of, Debora Plunkett : How do we prevent it from happening? And if we are doing all that we can to continue to reinforce to legitimate users system users. Debora Plunkett : The, you know, it's the basics. It's the basic cybersecurity. It's the hygiene. It's, you know, making sure you're not clicking on phishing links, Debora Plunkett : you know, it's making sure you're reporting any unusual behaviors. It's companies making sure they have the right level of auditing Debora Plunkett : and oversight on their systems in place. And then the last is just one I've spent a lot of time on over the past couple of years, it's election security. We've just gotten through our huge election, but believe it or not, by January,
Debora Plunkett : the election cycle will start again looking towards 2022. And so, in that regard, making sure that, you know, the lessons we've learned for 2020, Debora Plunkett : we can push down because cybersecurity isn't static. We will need to continue to reinforce those good behaviors and campaign space to make sure that we're able to protect the democracy and whether elections run free and fair. Judith Germano: Thank you, and Caroline, what are your top issues of the day? Caroline Krass: First of all, thank you so much for having me and I'm really honored to be with this distinguished group of panelists.
Caroline Krass: And my top concerns echo very much what what others have already articulated. My top concern is ransomware, you know, both in terms of the Caroline Krass: magnitude of the ransoms demand and the types of attacks and how their sophistication has grown, I'm focused on third party management and dealing with the risks that our vendors, you know, Caroline Krass: create for for the for the parent company, so to speak, the return to work and in the most likely hybrid return to work, less return to work. Caroline Krass: And all the challenges that will come alongside related to the response to Covid and they increase vulnerabilities and I think Caroline Krass: one thing, just to pick on what Debbie said, is we absolutely have to continue with the training and I think people are more vulnerable right now. Caroline Krass: We're all anxious about things. And so we're might be more likely to click on that link, you know that they we're in a hurry, we're distracted. We have a million things we're doing. And so that's something we really have to keep reinforcing. And then finally, as Kim articulated, Caroline Krass: as multinational companies confront the growing number of laws, regulations guidances from regulators around the world, it's really a continuing challenge to make sure that one is on top of all of that and acting consistent with the law. Judith Germano: And Alicia, what would you say we should be thinking about now? Alicia Lowery Rosenbaum: Let me just say I'm so excited to be here. Oftentimes, I'm a single voice in a room on these issues and to be in a virtual room with all these ladies with all these exciting
Alicia Lowery Rosenbaum: backgrounds is tremendous. And so just to build on some of the exciting things that I heard, certainly one of the things that keeps me up at night is this notion of endpoint detection. What on Earth is going on out at the edge? How do we, Alicia Lowery Rosenbaum: you know, detect protect and respond out there? And I love what near enough that about this notion of an unbounded enterprise. Where does an enterprise start Alicia Lowery Rosenbaum: and stop? You know, there's a shared responsibility with our customers, free data flows. How do we define that? And how do we define Alicia Lowery Rosenbaum: what the trust narrative is, what our duty of care, is another thing that keeps me up at night. In the context of Alicia Lowery Rosenbaum: in-house at a large enterprise is keeping up with best practices, such that our corporate governance is appropriate for shareholders and there's a lot of activity and I know we'll much more deep dive on that. But those are a couple things that are top of mind. Judith Germano: And how about you, Jen. What's your thought or what should we think about?
Jen Buckner: Well, I'd like to, you know, build on the consensus here and just add a couple different things. So three quick hits. The first is I, you know, I'm really thinking Jen Buckner: About risk exposure and I think many of us appreciate that. It's not just, you know, our primary offering. But we're also Jen Buckner: But the risks of our new acquisitions and our third party vendors are our risks as well. And so having a common picture across all of that I think is, you know, a significant challenge in this space. Jen Buckner: The second thing, and on that same theme, is really shared situational awareness. Jen Buckner: I know, you know, coming from the government side, what we could see, although I think it would surprise some people what we didn't know or couldn't see Jen Buckner: and what industry does and how do we, you know, as a large company with small companies, how do we aggregate that picture Jen Buckner: so that we have a common understanding and appreciation for the threat landscape and, you know, in can put all that together.
Jen Buckner: And then last thing, you know, I may think for for anyone whatever size you know you know company you're a part of is what's good enough because I think all of us, you know, know the ideal solutions. Jen Buckner: But from even a company with significant resources we have to make trade offs with, you know, with our business lines. Jen Buckner: And with, you know, some some revenue impacts from this year. So what is good enough look like, and how can we make those risk informed decisions on cybersecurity in business. Thank you. Judith Germano: And last but not least, Rinki, what what are you thinking about or what should we be thinking about as we enter into this new year? Rinki Sethi: Yeah, I'll repeat what a lot of my co-panelists said here. First of all, it's an honor being here with these amazing ladies. So I thank you for having me.
Rinki Sethi: I'll mention two that I you know that have been really on top of mind. For me, one and one of the main reasons I recently joined Twitter, Rinki Sethi: is, it's been top of mind, I think for the world right now, and how do we protect the public conversation, Rinki Sethi: and a lot of themes, one that Myrna mentioned around insider threat, and then others that have been mentioned play into it, but Rinki Sethi: you know, when Covid-19 hit and then the election, there was a lot of misinformation out there, some driven by cybersecurity issues, some not. And so how do we ensure that the public Rinki Sethi: conversation is protected and people are getting the right information the appropriate information when they need it, and I think that's going to be critical for 2021 and beyond. Rinki Sethi: The second is protecting our remote workforce. One thing that comes top of mind is companies are going through acquisitions and Rinki Sethi: you haven't had to think about how do you control that data and now people are home having conversations, Rinki Sethi: printing documents and things like that. And so, are we providing a remote workforce, not, not just as it relates to the endpoints, but beyond that, in terms of,
Rinki Sethi: how do you ensure that information stays confidential and so forth and taking that one step further. Rinki Sethi: You know, kids are using the internet in our own devices all the time. And, you know, ensuring that I think our workplace has the responsibility now to ensure that parents also have the right tips and tools to teach their kids more about online safety, Judith Germano: Given the significance of these issues, I am a one hand, we have a lot to be concerned. Kim Peretti: Judi, you're frozen. Judith Germano: ... to balance that with with privacy and corporate responsibility and economics. So thank you for the overview. Given that a few of you felt that it's interesting, and I do know that it's in the news every day and seems to just keep getting worse, let's start with ransomware.
Judith Germano: We have seen a rise in ransomware and not just a text that cripples systems, but then Judith Germano: siphoning data and then leaking data such as a tax on hospitals, putting patient data out there so that Judith Germano: it's to up the ante and make victims more inspired to pay and hospitals, having to turn away cancer patients, for example, because they can't get there right treatments. Caroline, what are you seeing in this space in terms of key issues for understanding what to expect in 2021? Caroline Krass: Well Judi, just as you say, if you look at statistics for the first half of 2020 alone, ransomware attacks are up by 72%. Caroline Krass: I know across the insurance industry over the past few years, claims have just risen exponentially in that have involved Caroline Krass: ransomware and, you know, the US government itself has been putting out advisories and more information about the threats posed by ransomware, Caroline Krass: extending beyond where you might expect, you know, not just talking to say the defense interest infrastructure based you know are critical infrastructure, but Caroline Krass: FinCEN issued guidance at the same on the same day as the Opposite Foreign Assets Control October 1, and FinCEN on was really drawing it's Caroline Krass: client base or regulated entities attention towards the dangers of ransomware, and some of the things that they highlighted was what's going on now is Caroline Krass: what they described as a big game hunting, you know, instead of the smaller companies being picked off for Caroline Krass: ransoms that were in the tens of thousands of dollars, now you have big much bigger scale companies being targeted with demands that could be as much as you know $40 million, you know, just huge numbers that were not initially Caroline Krass: demanded. There is also an environment where the bad guys are sharing information amongst themselves more freely, and interestingly enough, even sometimes for free. I haven't quite figured out that. Caroline Krass: You know, why there would be an incentive for the bad actors to conspire, you know, without getting any renumeration. But you know so that's another Caroline Krass: broadening of the environment of those who the good guys have to confront. And then, as you described, this
Caroline Krass: phenomena now of double extortion, so you'll have, you know, traditionally ransomware was a situation where Caroline Krass: a bad actor would get hold of a company's data, put it, you know, put it together and say, if you want the key to decrypt this you need to pay pay us x amount. Caroline Krass: Now, in parallel, they're making copies of all of that data and they're threatening as you're identifying the healthcare companies, for example. Caroline Krass: We have this very sensitive information could be about the company itself, could be about the company's employees, about the company's customers, and we are not going to, Caroline Krass: we're not going to keep it confidential. We're going to leak it out unless you pay us. And so, you know, on the one hand, you might have the company might have adequate backups, so they wouldn't have had to pay the ransomware
Caroline Krass: in the more traditional sense, because they could could could make do. But now they have this concern that they have to pay so as to avoid the information Caroline Krass: becoming disclosed and then if that information is disclosed, of course, there are all kinds of regulatory obligations in terms of notification to the affected individuals, Caroline Krass: to various state or international regulators. They're open to lawsuits, you know, and so they have to actually act like they've been breached, even if they may not end up ever having that information disclosed. Caroline Krass: And then of course we always have the problem that sometimes the ransomware demanders, you know, will not Caroline Krass: do what they say they will do. So one could pay and then they could go ahead and make the information anywhere that go ahead and not give you the decryption key and just so many issues associated with with that, including the reputational risk. Judith Germano: I thought it was interesting. There, there seemed to have been a bit of a pact among certain attackers in April that they weren't going to
Judith Germano: attack hospitals, but I am reading from the headlines that that pact has crumbled. And we're seeing continuing attacks in the healthcare sector as well as throughout Judith Germano: business and other organizations. Debbie, let's talk tech for a moment. How is this happening and what are the primary causes of these attacks? Debora Plunkett : Well, I mean, the causes of them are, the mechanisms used in order to successfully execute are not huge surprises. They are lapses and security, use of security measures and judgments by legitimate Debora Plunkett : users of company systems. Debora Plunkett : But they are also, with with regard to others that are responsible for protecting those companies systems, failure to implement security patches and upgrade in a timely manner.
Debora Plunkett : They are like failure to have the right monitoring in place to be able to detect even minute changes in the system protocols that might cause you to want to look deep more deeply. Debora Plunkett : So, you know, no, no huge surprises there, right? You know, the getting in isn't the a huge surprise. It's, it's, then the extortion and everything that goes along with that in this ransomware as a service space. Judith Germano: And and I think that that makes a good point. One of our questions from the audience is that humans really tend to be the the weakest link, so we need to
Judith Germano: address that, and and with the with training and other consequences. Rinki and and Myrna, both Judith Germano: from a technical, let's talk from a technological perspective. And then I'm going to turn to Alicia and Kim on a governance perspective. But what are the technical measures that companies can take to protect themselves against ransomware. Rinki, I'll start with you. Rinki Sethi: Yeah, I think, Rinki Sethi: you know, one of the top things you can do long term preventative is make sure you have a solid backup recovery solution.
Rinki Sethi: That's not going to necessarily prevent you from a ransomware attack, but it will help you recover from one very quickly. Rinki Sethi: I've seen in the news recently how many schools have had to shut down because of recent ransomware attacks. They're comparing it to a snow day where you would actually close the Rinki Sethi: school because you're snowed in, not something I'm used to in California, but that's what they're comparing ransomware to and so Rinki Sethi: it's it's devastating to hear that, you know, there's no backup recovery plan from this and there's a lot of companies that exist out there helping protect Rinki Sethi: other companies from ransomware by ensuring that you can quickly recover from it and that your backups are immutable, and that your backups are not also Rinki Sethi: open to corruption from ransomware. So I think that's the top thing, and I would say from a non-technical control, ensuring you've got a good response plan to deal with ransomware attacks. Judith Germano: And Myrna, what are your thoughts on that? Myrna Soto : Well, you know, the way I think about the technological implications to prevent or, more importantly, to detect Myrna Soto : because I think the concept of trying to prevent the potential of malware for the purpose of ransomware Myrna Soto : infiltrating someone's environment is very difficult for all of the reasons we just discussed. The human element, phishing attacks that have gotten extremely sophisticated with our current Covid 19 crisis alone,
Myrna Soto : our labs group within Forcepoint has been able to detect over 1.3 million new campaigns for phishing attacks Myrna Soto : with the word "Covid" in it. So there's just this plethora of opportunity for the adversaries to use the tools and going back to the ransomware as a service. Myrna Soto : The organization of the code bases being used against companies is quite easy. Myrna Soto : So because of that, I firmly believe that we have to have much better algorithms and detection mechanisms to understand the analytics Myrna Soto : of the behaviors and transactions that are happening on our in our systems. And what I mean by that is and Judith, you mentioned, you know, originally, it's sees someone's infrastructure and shut them down.
Myrna Soto : We're seeing more and more than it's more on a very stealthy, low and slow data leakage type of campaign. Myrna Soto : I think it's really important that we use much more analytics around what our users are doing on the network. Why? Because the ransomware is going to attack credentials. Myrna Soto : The ransomware is going to attack an individual. We we talk significantly at Forcepoint about a human-centric approach to cybersecurity. It is still the number one vulnerability that we have. Myrna Soto : There's a whole other panel that we could discuss about what we could do with that. But when it comes to the technologies, you know, the ability to, Myrna Soto : and this may sound controversial, but the ability to study some of that code.
Myrna Soto : Be able to read, reverse engineer some of the malware code that is out there available for ransomware purposes. Myrna Soto : And of course, organizations such as mine, do that on a daily basis in order to harden protections and to harden the technologies that are used to detect malware for the purpose of ransomware. Myrna Soto : You know, throughout my career, I was fortunate enough to be a global CISO Myrna Soto : for a greater portion of my career, and I was very unpopular. When I was at an event, and they asked me, would I ever pay on ransomware. And I said, no, absolutely not. Myrna Soto : I said never pay, and one of the reasons is because one of the things that we did in our organization as one of the largest internet service providers is that we worked with the various three letter Myrna Soto : law enforcement agencies to try and prevent the success of ransomware because at the end of the day, it is an economy, Myrna Soto : and when the economy is successful, it will continue. So there's a number of things that we can do, but I really am a firm believer that it comes down to the analytics network behavior. The use of data Myrna Soto : and how data is our new oil, we need to understand how it's being used where it's going and to be able to detect anomalous abnormal behavior of users.
Judith Germano: So given given the human-centric approach and issues related to ransomware, as Myrna just mentioned, Kim and Alicia, I'm going to turn to you in terms of, what, from a governance perspective, should we be doing to address this problem. Alicia Lowery Rosenbaum: For on, Alicia Lowery Rosenbaum: I think, Alicia Lowery Rosenbaum: all companies need to have a plan, you know, triggered by data unavailability. Whether it's ransomware or other sort Alicia Lowery Rosenbaum: of some other scenario where you are your customers cannot get access to that customer data. And so I liken it to you have to have a bad guy plan. One is around engagement on for various reasons. Some of the Alicia Lowery Rosenbaum: individuals on the other side, that you may or may not be interacting with our various levels of unsavoriness, I'll call it. So do you have on a third party intermediary, do you Alicia Lowery Rosenbaum: have methods by which you can go to your board and say, hey, I need $5 million in Bitcoin, where do I get Bitcoin on short notice, is that something that you hold on the books.
Alicia Lowery Rosenbaum: And just backing up to Myrna's point, all of the presupposes you've decided to engage and pay, that's also something you need to socialize internally Alicia Lowery Rosenbaum: about rather not. What's the corporate stance on that? Under what circumstances would we pay? What are piercing in the ecosystem? What's best, what's the duty of care here, the best practice having? Those conversations well before something Alicia Lowery Rosenbaum: befalls your company or your organization is really, really a good route in terms of corporate governance. Kim Peretti: I can add to some of Alicia comments so Kim Peretti: You know, total totally agree that for for many cyber crises, they require a cross functional response often will need executive decision making Kim Peretti: in a crisis situation. But ransomware is unique, it has different aspects to it. And we have been Kim Peretti: working with clients for the past two years to do table tops that involve ransomware to really inform executives and even the the Kim Peretti: Response Team members of various client organizations on, Kim Peretti: what is a ransomware response? What does it look like? How do you be prepared? Because it's very different than other types of cyber incidents. Kim Peretti: You immediately might need to have for work streams. You might need to have a restoration work stream looking for your backups for storing your data, a communications work stream to communicate to employees about Kim Peretti: laptops, data, they may not have access to.
Kim Peretti: A legal work stream to start working through any legal issues, if there was data that was that's full traded a communications work stream legal. Kim Peretti: An investigation to investigate what happened. I mean, in some ways, these ransomware attacks are no different than the state sponsored attacks, Kim Peretti: the targeted attacks we were investigating a decade ago, where criminals get through the front door. Kim Peretti: They drop malware, where they start to escalate privileges. They move around in the environment, sometimes weeks, days, weeks, months before they deploy the ransomware which is the last stage of the attack. So really, informing Kim Peretti: executives on what these ransomware attacks are like and what the response needs to be and how you need to be prepared is critical. And how do you do that? Kim Peretti: One thing that we're, we've worked on with many, many companies is to have a ransomware policy.
Kim Peretti: There have been policies companies have had that outright prohibit paying criminals or paying the ransom, Kim Peretti: largely stemming from kidnapping policies. But, you know, we know that you may need that flexibility to pay in some circumstances, and it may not be to get the decryption key, but it may be the Kim Peretti: double extortion we're seeing more often, just for some protection that the criminal says that they won't post your data, your very sensitive customer data, publicly. Kim Peretti: So working on a ransomware policy that helps identify under what circumstances the executive team may make a decision or may consider what factors they may consider in making the Kim Peretti: decision to pay. Having that policy in place that allows them to turn to something to work through the process of decision making and very, very quickly.
Kim Peretti: We found that that can help, in addition to having a ransomware playbook that outlines the different workstations, how you engage these third party intermediaries, how you might pay Kim Peretti: outlines the OFAC guidance, and other legal considerations, just so it's all in one place and the company's familiar with how they need to approach the response. Judith Germano: So, Jen you you have, in addition to your current role from from your prior life with with US Army, you have amazing insight into the critical infrastructure issues and concerns. Judith Germano: Regarding cybersecurity and and with the ransomware attacks, we have seen a number of state and local governments under attack. Does this question of pay or not pay change for a municipality or for critical infrastructure organization?
Jen Buckner: I guess in this space, you know, being that the the certainly there's an evolution on the stance. I like that Jen Buckner: analogy to hostage or or policy on the on the payment of ransomware. And I also think we're seeing a movement in the government's role in in responding to these because, you know, I think that the Jen Buckner: that the North Korean involvement in the Sony hack really compels a different framework for these response when private sector companies, you know, are the are the victims of what is a nation state Jen Buckner: actor in those techniques. So I don't quite know the answer, Jen Buckner: but you know, I appreciate that the current circumstances are informing a movement on this and that it's certainly not black or white, yes or no, it's, it's definitely, it depends.
Jen Buckner: And I think, you know, it's scenarios like this which which compel movement in here, and I think, you know, so it's very different than it was five years ago, Jen Buckner: even today, so I think we'll continue to see that movement. But to also pick up on your idea, the, the idea of consortiums, Jen Buckner: and I think we do see you know critical infrastructure groups, like the energy sector has done such an amazing job in terms of working together to share information of what they're seeing the identify the identification of sectors, techniques, Jen Buckner: and responses, and then a coordinated response. And so I think from a you know sector perspective, we can follow the energy sector in this and I think where we see like businesses Jen Buckner: or industries coming together to do this, that is so important to our collective cybersecurity and posture, not just as a you know, a product of business, but also from a national defense perspective. Judith Germano: And Debbie, do you think that that this new flavor on ransomware of releasing sensitive data, including patient health data, changes the Judith Germano: the discourse or decisions within organizations about whether to pay or not? Because on one hand, there's Judith Germano: a strong motivation, not to pay and, on the other hand, there's also strong obligations to protect the most sensitive types of information. And how, what kind of questions should companies be discussing regarding that? Debora Plunkett : Well, they should be discussing them with their attorneys, for sure. And with federal officials as
Debora Plunkett : as appropriate. You know, I think ultimately, it's a risk decision and the company is going to have to make that decision based on their level of tolerance and based on the potential for impact to them, either financially or reputationally. Debora Plunkett : You know, we have to keep in mind that we, in my view at least, we don't want to reward bad behavior, Debora Plunkett : and we want to try to avoid rewarding bad behavior. And so to pay is not only rewarding bad behavior, but we have no guarantee that the bad behavior is not going to reappear. Debora Plunkett : In fact, you know, it seems to me that we were probably writing a check, knowing that we might be writing another check right and so and so all of that has to be taken into account. Debora Plunkett : But most importantly, it's to surround yourself with wise counsel and hopefully you know for corporate entities to have had be having these discussions right now, Debora Plunkett : before something bad happens, so that they have a sense of what the company's tolerance is for risk, so that when they have to make this decision, it is not quite as difficult.
Judith Germano: And one of the issues in the guidance right so hackers know companies are in a bad spot and and they're capitalizing on that and and in addressing that though, Judith Germano: the government has issued, as Caroline mentioned, the strong you know whether the OFAC guidance that it would be that you should not be paying Judith Germano: for ransomware if it's somebody on a either a country or there's nationals list that we should not be doing business with, and that is Judith Germano: not just for the victims, but for others who are facilitating the payments or responsible in the chain of payments. Kim, from your former time at DOJ, do you think that that is a signal that Judith Germano: victims should worry about being prosecuted, as well under this, or how do you take this new guidance? Kim Peretti: There certainly are criminal and civil penalties attached to OFAC violations, but at least from from this particular guidance, it's it's focused more on civil penalties and reminding, Kim Peretti: reminding everyone there's no new regulations here, that it's a strict liability standard should you pay even if you have no reason to know Kim Peretti: that you're paying someone you know an entity on the sanctions list that you could be subject to civil penalties. Kim Peretti: And OFAC is reminding us of that standard in this in this guidance. The challenges stem from in ransomware incidents, most Kim Peretti: often all you receive from a criminal is an email address and a Bitcoin wallet to pay, and those Bitcoin wallets change frequently, so even a Kim Peretti: company with a good due diligence program for any transactions that they make and then of course, we rely on a third party intermediary something higher to make the payments to also due Kim Peretti: due diligence. We also often check with with the FBI and law enforcement when we pay with Bitcoin wallet, if they've identified it in as
Kim Peretti: related to any terrorist organization. So even with all those steps, you know, OFAC is reminding us that, Kim Peretti: you know, it may come to be that the Bitcoin wallet that we that we're paying is associated with an entity, there's a, Kim Peretti: there's a sanctions nexus so I think it's a reminder and whether OFAC moves forward as we as the government continue to indict more and more companies for criminal cyber, cyber criminal activity and put more entities on the list. Kim Peretti: I think it's just a question of whether OFAC would indeed Kim Peretti: go back and identify companies that have made payments, even if they had no reason to know, and bring an enforcement Kim Peretti: action against them. Of course, they're making it quite clear in the guidance that having a due diligence program is important, but even more, what I find more important in the guidance is that Kim Peretti: they say if you have a significant if you coordinate with law enforcement, that's a significant mitigating factor in their decision to bring an enforcement action. So Kim Peretti: we really view this guidance as if you are going to take steps to pay criminals that you absolutely should be coordinated with law enforcement. Myrna Soto : I hate to interject, because I know Judi wants that we have a big panel, but I couldn't agree with you more. And the, the coordination with law enforcement implies something, transparency.
Myrna Soto : And the issue with the with ransomware, and to Debbie's point about "Let's not reward this behavior," Myrna Soto : is there's just way too often, the lack of duty of care to secure enterprises and secure data, you can still be a victim. But if you've expressed that duty of care, Myrna Soto : you have done your best effort, you may still be a victim. We should not be shaming victims, and the shame of victims is what allows companies say let me just resolve this, let me just pay. Myrna Soto : And then that that entire cycle is just, it's just a vicious cycle and I can't see it ending until we will pay. Judith Germano: You should all interject. We're here for a conversation. And by the way, I know that we could fill two hours with any one of you and it would be phenomenal. So we're just going to get through as much as we can, and we're thrilled to have all of you. So we'll let it flow, but we... Caroline Krass: I do want to highlight, you know, one other aspect of the guidance, which is, you know, it does apply to intermediaries. So that includes the negotiator, potentially,
Caroline Krass: of the ransomware and includes the insurance companies, you know, explicitly. And one thing that it Caroline Krass: assumes, in a certain sense, is that one knows whether or not the ransomware has been perpetrated by an SDN, Specially Designated National, or by a particular country. It might be easier to tell the country versus the SDN. Caroline Krass: But oftentimes, you can have a situation where you can have one incredibly well-respected Caroline Krass: forensics firm saying, "We think this has the same signature as this SDN, you know, we think it's quite likely that this Caroline Krass: demand or ransom, is that bad actor." But then you can have an equally reputable Caroline Krass: firm saying, you know, "We don't think so. We don't think we have enough to tell that." And so it puts all the company and all of these intermediaries in a very difficult position. Caroline Krass: How sure do they have to be and they may not be of course not expert in it, you know, this isn't the kind of thing that most companies know how to determine, you know, the signatures.
Caroline Krass: of bad actors. And so, I think, a very interesting question is what is reasonable in the circumstances, such that OFAC will not come back Caroline Krass: again, against the company or its intermediate years in terms of sanctions. Caroline Krass: And I think most most companies are going to be more careful. They're not going to go ahead and do it unless they obivously have to, you know, and then find out later. You know, they want to know ahead of time. Caroline Krass: OFAC will consider license requests, but it's a very interesting because the guidance is just articulating laws that were already in effect but but especially, with as Caroline Krass: Kim indicated, the focus on the credit one would get for cooperation with law enforcement. I think that's a new,
Caroline Krass: a new development in terms of having that explicitly stated, and it does push, I think it does address, it does bring up the challenges that Myrna mentioned, in terms of shaming the victim, you know, but it's certainly pushes a company towards that cooperation with with law enforcement. Judith Germano: So I think that the bottom line, before we leave ransomware, is it's incredibly important. We're seeing a lot of it. You need to talk about it within your organizations and with your technological and legal advisors, because there's a lot to navigate Judith Germano: on from from these issues and the more you do it ahead of time, the better. We need to take a quick pause to provide our CLE number for the lawyers in the audience who get ClE credit, so we'll do that and then we're going to jump to insider threats.
Elizabeth Whatcott: So for those of you who can't see the screen right now because you're calling in the first CLE code is eagle fifty two. Elizabeth Whatcott: That's E A G L E five two. Elizabeth Whatcott: I'll repeat it again, eagle52. Elizabeth Whatcott: E A G L E five two Elizabeth Whatcott: All right, do we think we're good? Judith Germano: Thank you. Yes. Judith Germano: So insider threat. So we have this huge shift in 2020 to a remote workforce, which brings a wonderful opportunity to have globally diverse teams, but also raises questions of data security and data protection and insider threat. Rinki, what are you seeing as as key concerns in the space?
Rinki Sethi: Yeah, I, you know, there's a, there's a few things, I think, when it comes to insider threats. One, and I think when folks think about insider threat, a lot of times you think malicious, Rinki Sethi: but insider threats can also just be risks and not malicious. So there's some key things, I think, to think about, you know, and Rinki Sethi: as everybody knows that Twitter definitely felt the pain of lack of education when it came to our insiders and how they were using technology, Rinki Sethi: as the breach of happened a few months ago. And so I think that, one, you know, that all your employees and insiders need to be protected in the, Rinki Sethi: you know, with the right tips and tools and understand what what the limitations around technologies are and where they have responsibilities and Rinki Sethi: ensure that they have great knowledge around social engineering and phishing and all of that. And as we all know that, that's not necessarily enough around insider threats. Rinki Sethi: So what, some of the things as, you know, again, when I, when I think about insider threats, I think back to how are we going to protect the public conversation, as it relates to insider threats and ensuring that Rinki Sethi: there's good access management within a company, that there's ensuring there's good access controls and that we've got visibility and we've got the right Rinki Sethi: tools to flag when we feel that there's some kind of issues that somebody might be doing something malicious, or maybe even inadvertently Rinki Sethi: pushing something to production that shouldn't, or so forth. So I think there's a lot of things to think about Rinki Sethi: when it's, when you think about insider threats, and there's a lot of questions to in terms of what can you do when Rinki Sethi: folks do have access when your employees do have access to really critical Rinki Sethi: assets in the company in terms of in, you know, this is where we cross over with legal implications as well, Rinki Sethi: In what can you do in terms of background checks and how can you implement more controls that way to to make sure that you're preventing malicious actors from entering to begin with.
Judith Germano: And Jen, what are some best practices that you can share with us for managing a remote workforce? Jen Buckner: Well, I think, like most, this is a journey that we are, you know, figuring out as we go. And I think, you know, early on, when we Jen Buckner: federated the workforce, and we really had to make some tough calls on known risks, Jen Buckner: but also the ability for our employees to work in that ease of work. And so those, those risk reward trade offs, you know, we made some early decisions. Jen Buckner: And of course, the, the ability to come back and address those. There are certainly, I mean, it's put a premium on logging and monitoring tool to, you know, immediate visibility Jen Buckner: into how our employees are working, what they're accessing it really compels a, you know, a tough look at privileged access.
Jen Buckner: And I think, you know, now as we know that the future of work is is some sort of hybrid of this, Jen Buckner: how we can continually test and validate those controls and ensure our visibility on what's happening in the environment real time. Jen Buckner: So again, I don't know that there's any one answer or posture, but the continual evaluation to again balance the risk, along with, you know, the user experience along with the employee experience, Jen Buckner: and our must you know our must do critical missions as well. I think it really, you know, has shrunk the the hybrid of what we see and Jen Buckner: you know, we've all gone to like digital signatures and reviews and things like that. But there's still a couple things that still have to be printed out and signed you know hardcopy, so,
Jen Buckner: you know, again, those are those are all journeys that we're on in the controls validation risk user experience and logging and monitoring. Judith Germano: Debbie, from a Board Member perspective, we know that Judith Germano: the board overseas and doesn't manage. But what are the questions that board members should be asking, or the senior management should be prepared to tell the board about, in terms of insider risk management and how, what to think about in this space? Debora Plunkett : Sure, so. Debora Plunkett : You know, board should be getting some type of regular report from management on the status of the company's efforts to protect and, Debora Plunkett : and as needed defend its network and data in personnel, and that that can come in the number of different ways from, you know, little, little reporting to you know having experts present in different ways.
Debora Plunkett : But that should be happening on a regular basis. You know, board members should be asking what's the investment, because that's, that's an area that boards care about is what, you know what, how, how are the stockholders dollars being invested. So what's the investment in technology and security? Debora Plunkett : The board members should have a sense of what is normal for this company as it relates to Debora Plunkett : cyber incidents and security so that when a really, really bad thing might happen, the board would understand what that bad thing means in the context of what normal looks like for the company. And then the board, the board should be asking for some type of Debora Plunkett : flow chart or structure to escalate should some bad thing happened, such that the board will be notified as appropriate, if required, if it reaches up to that that threshold. Judith Germano: Thanks, and really insightful thoughts, not just for insider threats, but for other cybersecurity risks, the challenges of escalation and the dialogue of communication. And Myrna, I think as
Judith Germano: someone who works very closely on insider threat management in your work at Forcepoint and then also sits on a number of corporate boards, Judith Germano: how, what's your thought on how we should, both companies and their advisors, should be addressing this concern? Myrna Soto : Yeah, I think there's a number of things. And I'll be the one to break glass, and I'm sure many, many of my fellow panelists will agree, to an extent, that Myrna Soto : one of the imperatives around insider threats is the balance of protecting employee privacy. Right, so their activities on, unfortunately now in this environment, more often than not shared devices, Myrna Soto : the ability to understand what people are doing with their credentials and their privileges. And I often say that, you know, we all want to trust that every single one of our employees have Myrna Soto : the greatest regard for the corporation at hand. But the reality is, is that people are under a tremendous amount of stress, Myrna Soto : people are under a tremendous amount of pressure, and there are adversaries that work for us. I mean, this is just Myrna Soto : fact. There are data and statistics that show that and in the boardroom, you know, the considerations are to make sure that we don't over index
Myrna Soto : on that trust. You know, Jen said it, well, when you know she she described this continuous assessment, Myrna Soto : one of the things that I love that, and I rarely say this, by the way, one of the, one of the things I love that Gartner put out as far as an imperative for security Myrna Soto : is the concept of CARTA, which is Continuous Adaptive Risk and Trust Assessment, and really adopting a zero trust model Myrna Soto : for your users. Now users could be employees, third party, I know we're going to talk a little bit later about third party risk, Myrna Soto : they could even be machine accounts, right, automated machine accounts. I think that we have to realize that
Myrna Soto : over the last decade or so, probably the last two decades, we have employed a number of technologies to help prevent data leakage, data exfil, network intrusions all of these things. Myrna Soto : And yes, that the whole defense in depth approach has served well, not perfectly, but well. Really, our only real defense now is to understand and monitor. And that concept of monitoring Myrna Soto : kind of puts an uncomfortable feeling in some people's necks because where do you draw the line or snap the line and say I am monitoring activities on my network, on my assets, on my data, Myrna Soto : right, and ensure that you're not over indexing and monitoring behaviors that an employee may have on a shared device Myrna Soto : that could later be mishandled, used in some biased format, all of these things. These are all the things I think about. Myrna Soto : We at, at Forcepoint, you know, we are levering up on behavior analysis, being able to apply - I like to call it the FICO score to your activity - it's a risk score.
Myrna Soto : And I'll use Debbie, as an example, you know, Debbie is a certain role. She's accessing certain data that's normal for her. I'm not going to be intrusive and monitor. Myrna Soto : But suddenly, now Debbie's activity has changed and it's abnormal, and to be able to automate some of that