Thursday 3rd June 2021, 10:00 (BST)

Passive, reactive and proactive threat management

  • Mapping your organisation’s cyber risk profile and environment to your threat management approach
  • Correlating identities and privileges to reduce your blast radius
  • Threat modelling and profiling to mitigate the impact of cyber attacks

Hello, good morning. It is Thursday morning, 10 o'clock, therefore, it must be time for another nice talk. My name is Jeff White. I'll be your host for today's Thai's talk every Thursday morning at 10:00. Hello to our returning members here at iStock, our turning audience attendees. And welcome to your new pleas to spread the word. We are discussing all of the key topics on these topics. Talks every Thursday morning at 10:00, every Tuesday afternoon at four, which is my co-host, Jenny Session.

So, yes, please do spread the word and I am finally able to see all the chat last time I can see the chat window. Say hello to all of you. You can use the chat window there to get in touch to Farangis and give us a boost. Or you can use the Q&A tab to ask questions. We put them to our panel who today are going to be discussing threat management, passive, reactive and proactive threat management. Which would you do?

Probably all three. Be talking to a great panel on this. We've got some really, really good people. Leigh Howard is head of Security Risk and shared services at Brown Group. And even if you haven't heard of any Brown group, you've probably heard of some of the brands they represent in terms of clothing. Talking that we have Simon Goldsmith, who's senior director of information security at us. We have Matlock, who is technical director UK at Villainess.

We've got a fantastic panel coming up later on. I want introduce, though, our first guest on this is going to be talking to us, who's been on Taisto for a little while ago. And joining us again, pleased to welcome Craig McEwen, who's chief information security officer at Anglo American. Craig, how are you doing?

Yeah, good. Geoff, how are you?

I'm alright. I'm alright. And yes, somebody already pointed out that I'm not wearing a jacket and bow tie. Basically, I've moved house. The room that I'm now in is also the room that contains the boiler. And, boy, that's that's not a pleasant experience at the moment. But in winter, hopefully will be much more pleasant because you in the you in the office, you come back in.

Yeah, I have, Geoff. Just one day a week we've actually moved office. So that's that's been going on over a long time. It's been interesting and finally opened a few weeks ago and Farringdon so just in one day a week to help get the place settled in before we start to open up to the rest of the team. We haven't started on that yet. It will probably be much later in the future. But it is nice to get back.

It's nice to see the old faces and it's nice just to have that variety in your day, whereas walking through your boiler room to your kitchen gets a bit repetitive after awhile.

Yeah, I do appreciate that. And I like to be honest, my life before lockdown was, you know, days of just working at home. I relish the opportunity to go and visit people in their workplaces because it just broke the routines, a bit of normality. And then when everybody else was doing what I was doing and staying at home, my life got more and more. I got pushed down the way the spectrum. So how was it?

I mean, are you were you wearing work clothes if you got back in the work shoes on and stuff?

Yeah. Yeah. This was I didn't wear the suit jacket because it's, it's lovely outside but it's trying to trying to get back into that feel normal routine. So in work clothes we've got these really cool track and trace sort of animatronic badges that covers if you get too close to people and things. So there's been a lot going on behind the scenes in terms of making the office safe for people to come back to. So that's that's nice as well.

But it's yeah, it's nice to see people in business attire again. Normality.

Yeah, exactly. Exactly. And has been just what we talk about is how has it been setting up the stock? Was that easier to do with everybody out? Because I know there's a lot of infrastructure work going on, on the roads and stuff. What they call it. Was that the same for you guys, like get it done while nobody's here and it's going to be easier.

Yeah, exactly. So that the moving things, you know, our flash saves, we keep digital forensic evidence of things. That's there's been a lot of dumping and dumping. So could we use the extra hands for for that site? But no, it's nice. It'll be great because with my management team, we set things up how we want it to look. And when the teams come back in, it should be all nice, new, shiny and set up purposely for them.

So they'll come into a really nice environment as opposed to just Napier. There's still work going on and things. So it's hopefully it'll give the guys and girls a really nice workplace when they do come back.

Yeah, good. Good. Yeah, it's going to be really interesting in terms of that. They're anti-American for how often people have in the office. What's, what's the sort of set up.

It's an interesting one. I've heard lots of debates about whether companies will mandate a minimum number of days, go by five days, go forward and working, I think, with an Anglo American, but being very flexible with it. So we haven't drawn the line in the sand yet with this. Certainly my my personal view is that two days a week would be the minimum is nice to have people and it's nice to see people connect with each other physically.

But we've definitely proven that remote working is a completely viable option in the corporate offices. Of course, not on mine sites, obviously. So it would be silly to go back to the old ways, having been forced into this way of working as a result. So I think I think is a business will probably maintain a high degree of flexibility. We won't be too regulated. I think we won't start telling people how what to do. We'll be very accommodating to to suit people's needs.

I think what lockdown's done is for some people, is it they're actually working for home suits, their lifestyles, take kids to school. That's for some other people. The more social butterflies, they absolutely need to be in that office environment and go to the coffee area and just chat with people. And so accommodating both of those ends of the spectrum, I think should be important to make sure we get that right balance for people.

Yeah, really interesting. It's kind of just going to be something the pendulum swing over the next four to six months going to be really interesting in terms of obviously all the business I speak to are saying the same thing as you flexibility. But it's going to be interesting to sort of say, OK, we've had some flexibility. Now, what do we think works? I suspect you'll see you'll start to see a concretisation some stage, John, some really challenging for lots of organisations with this return to the office who are physically challenged for being there, et cetera.

Yeah, which is really interesting. Really interesting. And sometimes, I mean, let's let's play let's move on to the sort of topic at hand for management I find interesting in terms of where people get this sort of threat intelligence from somebody. You can only manage the threats that you know about. And one of the speakers is sort of saying, you know, Twitter is quite a good source for sort of management, that kind of thing. What's your what's your sort of go to sources for working out?

So we have multiple mean Twitter is a is a handy one, especially for sentiment analysis, trying to work. If you've upset a particular group of people, Twitter can be can be handy to see that you can imagine, although Anglo American is a very responsible minor, you can imagine there are groups who have views on mining as a whole and typically they will start to to voice things on Twitter. Some even have websites. I won't name what people go visit them, but there are websites out there for people who are against the idea of mining.

And so we monitor those as well. I think we have lots of sources. I think the thing about intelligence is that it's a really interesting one. Intelligence is one of those things that you can shovel as much money in people and resources and time as you want into it and still actually generate nothing. One of the things that tends to be missed is the idea of an intelligence collection plan. What do we want to know? So what's important to us, what we worry about.

And so therefore, what do we want to collect against? What type of information do we want? And ultimately, these these are driven by what we call critical intelligence requirements, effectively questions that we want to answer and those in form what we need to collect. And that will help us choose what tools we use. If you don't have that intelligence collection plan, if you don't know what concerns your company, what concerns about what you're ultimately trying to answer, like I said, you almost wheelspin in a sense, where you get lots of good stuff in your analysts will produce lots of cool things, won't really answer anything for anybody specifically.

And so people will engage with it. And ultimately you'll miss the important thing which does concern you business. So that idea of the collection plan is really important. I'd suggest it's where we'll probably feature in anybody's collection plan because of what it. But when you look at the other types of tools, I'll give you a good example of dark web monitoring. I used to work with a commercial infrastructure and within that area there was lots of talk about SIM card sales is massive about five, five to seven years ago.

This is huge thing about SIM card pricing in a sort of cartel thing going on the SIM card manufacturers, there's a whole underbelly of criminality around SIM cards going on. And so for the organisation, I worked with huge interest in dark web marketplaces, absolutely massive in the mining industry. Very well touch, which was just we've not found it, but there aren't many people selling tons of iron ore on the at diamonds. We tend to find on their you know, most of our commodities don't go the dark web.

So from my perspective, although we do look at it, Dark Way is not the most common source of information for us, because it's not it's not doing anything that concerns us at this point in time that we keep tabs on it. It's right to do that, but it doesn't feature highly in what we're looking at because it just doesn't really impact the industry. And so when you have that collection plate, you start to then work out where you do need resources, technologies, and that does help the process a lot.

When when we talk about this threat stuff, because this is sort of sliding scale between targeted attacks, somebody takes a dislike to Anglo American and decides they're going to go after you and then sort of spray and pray attacks and sort of just some type attacks. When it's interesting, when we're talking about threat, it seems to me that we're talking it just ends up focussing more on that kind of targeted attack because because although there are threats from the sort of spray and pray type approach, those threats are generalised.

Of course, everybody's got those threats. You know, when you're talking about threats yourself, ending up focussing more on those kind of targeted attacks. And what is what specifically about Anglo American should we be worried about?

I mean, we can be, Geoff, I think with with this primary attack. So there is still utility in trying to divert some intelligence resources and collection efforts into that area. Can we bring this back to you if you consider sort of passive measures which. I would consider practising as a positive measure. You know, if you're patching your systems, actively do anything that effectively closes the door, if you're looking at that and you're looking at genetics, brain attacks, if you understand what ones are becoming flavour of the month, what are been spoken about, what is likely to happen in the next few weeks in terms of Sprayberry attacks, you can then use that to influence your PATCHIN regime, your system upgrades in terms of getting rid of legacy OCD, for example.

So that conformable of those passive defences, which can be immensely useful because I know there's some companies who are horrendously targeted because the nice juicy targets to tenacious states and big criminal groups, banks are the best example. That's what all the money is. And most criminals want money. So banks are a good thing to go after. But when you consider most large multinational companies I'm sorry, SME companies, the biggest concern is the Sprayberry attacks getting caught by an unlucky attack and being turned over that way.

And so using intelligence to understand those supreme pre-tax and the sort of flow of the attack landscape is useful in informing the rest of your cyber defence strategy if you have a cyber defence strategy. Of course, if you're not doing active patching or anything like that, then obviously it's not something you're going to be too concerned about. If you are, it can become useful. Of course, the stuff's useful as well.

Absolutely. So that threat intelligence that you get about the sort of spy and planned of stuff is useful because it informs the kind of where you focus your your passive passive measures like patching and so on.

Yeah, yeah, exactly. I mean, it's you know, if you understand all this and this is so to use a military analogy, that you have this process called the seven questions process. And this is what a commander will ask before he or she goes into into combat effectively. And the first question is, what is the situation and how does it affect what's going on and how does that impact my forces? Is the same with network security? If you think what is the situation basically means, what assets do I have and how does it affect me where they're vulnerable?

Where can it be impacted? And if you understand that, then you can really start to close down your access to attackers effectively through vulnerabilities, for example. And one of the key things with with intelligence is if you know all your assets. So, you know, I have Schnieder assets, I have Rockwell assets, I have Vayle computers, I have this that the next thing if I know they're making create collection efforts. And this goes back to the intelligence collection plan.

I great collection efforts around Schnieder. Anybody talking on Krippen from the forms of malware forms about Schnieder Systems. If I then start to see increased chatter over systems, we can start to make some assessments of is there a possibility of a future attack against Schnieder Systems? If there is a be assessed or to be, we can then look at our Schnieder state and say, right, are the OK, are they up to date? Is there anything we need to do to be sure?

The more secure that the thing is that that sounds like fairly obvious stuff, but you can't do that for everything. You own the business. You'd need tens of thousands as much as with all of that, it's not realistic. So that the reality is that you've got to use that threat intelligence to pinpoint the stuff we need to move your resources to. It's a bit like a game of chess. You know, you've got a finite number of pieces and you move them very strategically.

Otherwise, you expose yourself system to cyber security. If you if you try and tackle all the issues, if you try and patch everything, for example, probably going to get into a bad place, run your stuff out, they'll get annoyed to leave. You won't have enough capacity. So you need to be really critical about these things. Unimportant just now because nobody's talking about them. Nobody's using them is ignored at pocket. These things the criminals are looking at just now.

So let's let's go deal with that and things a bit easier to make sense of this, if that makes sense.

Yeah, it does. I'm presuming there's a defensibility aspect to this in terms obviously as a C level executive, you're presumably involved with the board and presumably at some stage I'm saying, look, here is what we are tackling here, all the things I don't think that we need at the moment to tackle because we're not getting the intelligence that that those are threats that are that are coming over the hill, basically.

Yeah, exactly that. I mean, it's you know, the board tends to like to talk about things in terms of risk. Typically in rogue state is so red and green. And by using that threat intelligence, you can actually talk very easily about risk. So if if you're not seeing any information about, you know, System X at all, you can make an assessment. And this is all assessment based. So change, obviously, but you can make that assessment.

Is there screen just. No, nobody's interested. Nobody's doing anything. Nothing's happening. However, this type of system is being hit all the time. There's lots of news articles about it. We've seen some forums. We're talking about a particular vulnerability we want to start exposing. So therefore that can then move to raids. And so it does. Facilitate that easy board conversations about what not. It depends on the board, of course, but boards typically don't want to hear about metrics, don't want to hear about the 400 attacks a month.

We defend three hundred and a hundred we have to resolve. We just want to look very high level at the risk profile the threat landscape and understand that, first of all, the understands where the risks are. And secondly, what measures are taken to address and mitigate those risks. So it does really facilitate that conversation quite well.

Yeah, really, really interesting. And obviously, we we've had talked on time talks about CEOs and boards and how to manage that kind of conversation, which is something that comes up and up and up. So we bring in our panel I want to talk about, because obviously you put Basel more passive threat management sort of a bit more proactive so that management is also active threat management. And you mention before we came on about the idea of this hack back tactics and what's coming down of the US, we have a chat about that.

What's what's how do you regard what the US is looking at?

This is a fantastic conversation. You know what is active defence? If you if you look on sort of academic journals and any news sites, you'll see this quite a lively debate about what is actually active defence in America. They have this is the active cyber defence certainty. And I don't think it's actually come into force yet, but certainly been so bandied about. And it's quickly known as hack back, as you said, Jeff. And it's the idea that if you are attacked, you are entitled to then react to that attack and do something to the attacker.

An example would be to place a beacon on the attacker system. So when they go back online, you can see them and you can start to get information about them that there are some controls in it. For example, if you're going to hack back what the seeing America saying is that you'd have to get authority from the FBI to do it. But it's a fascinating question because it is two key things here to my mind. First of all, it blurs the line between law enforcement and private sector.

If we decide to go after the bad guys aggressively, then what's law enforcement in the traditional sense? If someone breaks into your house, you know, you can defend yourself in the house, but as soon as you leave your house and you certainly you shouldn't chase after them because you've then gone from defending yourself to actually chasing them and you can end up in jail. We've seen cases of people before shooting thieves from that house and then going to jail.

So at what point does it separate from the separation from law enforcement to private companies? The second is, if you start to do that, what's the chances of retaliation? If you if you go after a nation state who attacks you, do you just open up the door to say, well, let's have a spy here? And if it does, then we have this that leads. So is it's risky. It's a fascinating idea. And certainly in my mind, something more needs to be done globally in terms of how we tackle cybercrime.

I'm not quite sure if private sector riding off on horses and shooting that the bad guys is the the way to go. But I'm not saying it's not. I'm just I'm not sure it is an interesting debate. And the devil is always in the detail folks are watching. If you've got views on this, please feel free to stick them in the chat. I'll be interested to see what you think we will in the future. I hope to be able to run polls of poll on this kind of thing.

But yeah, let us know your thoughts on the old hacking back issue. José or José, forgive me, I'm not sure how to pronounce it, but was asked a question about cyber insurance, which I'll come to in our chat with our panellists. I'm going to bring on another panellist now to have a chat with us. We have associatively Howard, who's head of Security Risk and Shared Services and Brown Group. We have some goldsmith, the senior director of security at Atrous and Matlock, who is technical director at Malonis.

Welcome to you all. Can I come to you, first of all, because I am brown, maybe not name rings bells itself. But what what plans do you do you do you guys want.

Yeah, absolutely. So Ambron is effectively the umbrella group. We've got about five or six power brands. The most popular brands that people are most aware of is a David Williams superheavy. So an old company over a hundred thirty years old previously catalogue. And now we're in the in the digital world of retail now because it grew out of the big catalogue boom in the whatever it was nineteen twenties or whatever those shopping became became really important. It's interesting also you guys do.

I was going to ask you guys do there's a big emphasis on sort of plus size and diverse. Like if you, if you're bigger than the average size or smaller than the average size, you guys have lots of outlets for that. So it's quite it's quite cool to see that.

Yeah. It's all about Feroze. It's serving the underserved customer in an all inclusive approach to to shoppers in detail. And I think people trying to do that these days in a. In a. In a. Less tangible digital. By the close, it's less it's is less and less available these days for those of you and you're not highstreet. You're just online. That right?

Yeah, a whole extent online. So we was we did have bricks and mortar until about three or four years ago, which decided to shut down and play the events of the last 12, 18 months. That was a great strategic decision to take.

Good stuff. Thanks for that, Simon. My first question for you, Simon, actually, Adidas or Adidas, I've never known which it tends to depend on which side of the Atlantic you are. That's my experience anyway. But exactly. That's that's that's how I've always felt like it's pronounced.

Adidas got it and probably probably needs no introduction to that particular thing. But in terms of I mean, obviously, I know that as a manufacturer and obviously I see their products being sold in shops. To what extent is also selling directly? How much of a part of Adidas is that?

It's a very big question, and that's probably our biggest strategic objective right now, to ship more of our best business to direct to consumer with the target of it being 50 percent by twenty, twenty five. And and obviously, digital is kind of a big part of that. And this big digital transformation that needs to go on kind of at the front end with customers and consumers, but also with the supply chain.

Yeah. Yeah. What's what's what's driving that shift. That's a big, big shift to make. What's the sort of factors influencing some the some really strong product drivers around? It's more profitable. It's where we're more able to control the experience and and traction with the brand and and and it's a great value to the consumer through through that kind of interface.

It's interesting as well, particularly clothing in particular, and trainers. There's this whole customisation thing as well. And I presume that's part of it, that you can actually order direct from manufacture and you can potentially customise the thing if you want to play a bit more.

Yeah, there's that. There's also there's also the hype that's kind of a big part of our business is is ramping up customer demand and an appetite for the brand through hype sells limited edition trainers and and kind of hype drops, as we call them. I didn't know what it was before I joined the company, but it's now. So so yes. So we're working with with with kind of big brands and influencers is all part of that picture.

My my cousin's kid got into this whole top shipping business and buys these pairs of trainers, which frankly to me look hideous, but there's huge demand for them. And he took I think he had to quit from his paper, our money. He's now got two and a half grand.

He's actually blogging, is playing a small part. But it's it's it's big business. The whole resale market for for limited edition training, all sneakers. If you're on the side of the Atlantic, it's I think it's something like six billion in the next couple of years. It's it's a big market, surprisingly big market.

And indeed, for somebody who wears Bogues, most of the time you can market them. This most of it's part of the attraction of the job with going to work and t shirts and trainers.

It's exciting. Yeah. Matt, let's come to you first. Come to you next level of awareness I've come across at conferences, but just for ten days describes what in basic terms what this does in basic terms for Onasis, a software security company that provides data security platform. So we primarily monitor and allow organisations to understand risks associated with unstructured data. So whether it resides in a data centre or in a cloud repository. And the big thing for us now and all future is, is is taking in multiple pieces of telemetry to provide behavioural analytics, understanding behaviour, understanding roles and privilege, make a decision that something may have gone awry and warrant some level investigation.

Right. So you've got a bunch of stuff on your server. Your software will kind of work out what it is and ideally you should get access to it.

Exactly. Yes. And also the behaviour and now typically people interrupt that information and where it come from and roles and peer relationships and all of these good attributes allow us to make a decision about whether we should look at an alert or investigate something.

Yeah, interesting stuff. Interesting stuff. And yeah, obviously for the insider threat, which is another issue we've discussed, discussed a lot on this talk, it's really useful. Even by the way, I've got a questionnaire about some way I look at the questions in a bit. But I just want to come firstly on to Simon, because when we were chatting about this in preparation, you had a very interesting sort of approach. You got a hard headed approach to threats and what you took seriously, what you didn't in terms of what's what's what's what's on your radar and what's what do you what do you think?

That's actually not something.

Yeah, it's interesting. It's an interesting angle. I was listening to Craig talk about that difference between Apte and kind of. The Sparano kind of all the kind of the the large scale attacks, and I kind of knew when I joined formally in financial services and national security and one of my colleagues actually was the first one to reverse engineer the the Bank of Bangladesh malware that appeared on the printer. So kudos on that podcast, by the way, house.

Was that really fantastic? Yes.

I wanted to see a side issue, but the podcast I made a podcast, the BBC, all about this Bangash bank, which you probably all know about. And I wanted you to Serguei for it. And he said he moved on. You couldn't speak about it was a shame because his blog about that was absolutely amazing. Yeah. So, yeah.

So when I when I joined Adidas and I was full of all these great ideas of how we deploy threat intelligence for for a big brand and help and use threat intelligence to drive up maturity. So kind of looking beyond the kind of the typical instant management use of threat intelligence and more kind of tactical and strategic use cases for it and that sort of thing. And the CEO at the time kind of sat me down and said, look, that's that's great.

But we've got a whole maturity to go on. Maturity, journey to go on and anticipating. What threats we might face is a much lower priority than actually dealing with the threats that we have and and not being overwhelmed by those. And so our threat landscape is it's kind of a threat for a particular kind of a big ekom. We've got the kind of the major type attack is we've got the thin seven nights. We got the guys and I forget the name the twenty twenties and go off the other kind of online online portals.

And then we've also got the Lazarus Group. It kind of hopped on the bandwagon and starting to do kind of major cult style attacks, I think hit Claire's accessories with the publicised ones. Like we've got that kind of range of attackers that are quite targeted. The ones that I guess are specific to only two companies on the planet are the sneaker heads. And it's an interesting it's a really interesting space. They it looks like they developed completely separately from other threat groups, but the tactics they deploy are very similar to those doing kind of ticket scalping and skimming and and kind of preserving glossaries for these limited edition sneakers.

So they're using kind of similar tactics, techniques and tactics, but developed completely, completely separately and not always, not always malicious or not always necessarily a threat. Right. It's part of part of the hype game. So, yeah. So the way that we've got to look at those is a little bit more nuanced than just looking at them as as kind of bad actors. But I guess they are equivalent of HTP where you've got a lot of stuff in common with Ticketmaster, in that case, the major cult stuff and also the kind of hyping and skimming again and again with kind of the Ticketmaster they've got.

They've got positive and negative sides to both attacks because to an extent they want to stop scraping of their website. But to an extent, it also is also part of their business model. So there's some interesting dynamics there.

Let's come to you now on that, because it's a similar sort of sector, but presumably a bit less of the stuff that Tom was talking about in terms of, you know, you're not doing kind of drop sales of a particular type of training. You've got lots of problems you're trying to manage at the same time. But what sort of stuff are you seeing? What's what's what's he on your radar?

Yeah, I think it's a slightly different scenario that a similar face. I think I'm not doing my company a disservice by saying Jacomo is not as well known brand as Adidas, for example. And so therefore previously that's a prior to code. We was not suffering from more targeted attacks because we probably in that category of lesser known brands. I think what covid and the prevalence of cyber and cyber attacks and retailers effectively, completely moving online is done, is increase the type of attacks that we would typically see.

But just the prevalence of it, the efficiency of that, how it's getting delivered, where it's getting delivered from is increased exponentially. So and I think made maybe previously we may dip below the radar, so to speak, on certain types of attacks. And I think now, like many other medium sized companies, are probably having to ramp up their maturity posture. And in reaction to that, the world has changed post now and presumably also because of the shift away from bricks and mortar and high street presence towards online.

And that's why folks like you are increasingly working for them, because it's all online.

So, yeah. Yeah, absolutely. And I think I look at it from an internal and external perspective. Our corporate network, we've seen an increase in those attacks. How to react to these type of attacks. Phishing is going to pay, for example. I don't think that's specific to my business. I think it's just a general trend. Yeah. And and it's interesting as well, actually, because it gets similar what Craig was saying. What's the situation situation?

How does it affect me? Well, and use that as an example affects me just as much as it always has. What does the situation mean? Well, it's getting more prevalent. We know the controls are working and can demonstrate what the like the likelihood of an unfolding increase is. You have to react to that, I suppose, and you get to about how do we do not threat management. So even just something as simple as that. And a reaction would be over index on the internal colleague engagement and training and awareness issues, for example, things like that.

So and yeah, it's been interesting. And then similarly with the from an account perspective, retailers, broadcasters, BBC, Netflix, things like that. And financial companies are heavily targeted for account takeover attacks. So we used credentials. Elsewhere in the incident, and it's just the credentials of an slamdunk trying to get into people's accounts and brute force and the way to do that, so we said a massive increase on the aspect with that fishing. I mean, that's an amazing statistic, 800 percent increase in fishing.

Is there a commensurate rise in the number of people in food for those fishing attacks? Or can you have a big increase in fishing attempts? But actually, that doesn't translate necessarily over.

Yeah, well, I think that's because we almost put all our eggs into the technical security controls basket and then hope that will save the day. Right. And if you're talking about tens of thousands of attempts on a monthly basis. Yes. And the majority of them all will get stopped. But I think as as that figure is just increased, that there is there is a natural likelihood that only one and I saw the question on the ransom, why, for example, only one needs to get through the technical controls.

Right. So this is where we need to fall back to our defence in depth measures. And people are the last line of defence and we have to engage with our colleagues. So it's just things like that and just reacting to what you see in an inappropriate fashion.

Come on. Now, it's interesting the way that the bonus stuff works. I can imagine any organisation of any size, whatever the threats, can deploy your software and it'll do its job and they'll get the insights in terms of what their data is and who should have access to it and what the behaviour patterns are. So to what extent are you are you even concerned about different threats? Presumably I can see a situation where say, well, whatever the threat is, we can help out to what extent those different threats guide what you guys do for your clients.

I think I think they do guide us to some degree. I think we've seen and we've investigated so many so many incidents over the last 18 months. And a lot of them follow. I mean, we know they follow typical patterns of of activity. We know the types of reconnaissance that they run. We know that they try and laterally move. We know that they try and do some sort of discovery, exfiltration, all of these things. So the way that we typically try and tackle it is by looking at behaviour that resembles those types of techniques.

So we try and stay reasonably agnostic to specific threats. Obviously, when we see, for example, a payload being dropped at a certain executable that's being named or perhaps a piece of ransomware that gets created and then to expose and extensions that obviously we would be mad not to include them in the platform will be quite proactive. But but but we try and be agnostic as we can, and it really benefits us because we're looking at behaviour at the end of the day.

And if I can identify particular accounts that are associated with particular devices and then I start to see those accounts suddenly accessing, you know, devices that aren't within typical patterns of behaviour. And also, Piers, don't seem to behave that way as well. That gives us a very good indication of something that's gone awry and then we can start to dive into it to actually find out what's going on. It's proving to be quite successful, really, to be able to be quite where we're being alert to quite early know, for example, with things like the exchange proxy that came out recently and also the solar winds and and other ones, the dark, dark side as well.

We we were able to detect that type of stuff by looking at the way that service accounts were suddenly behaving in a way that we don't typically behave and different accounts of different roles and different privileges. But they certainly have different different pieces, different types of behaviour. And so that's that's typically what we see early on.

Yeah, interesting stuff. We've got a few questions come in. I'm going to pop a couple of them up on screen if I can work out with Jonti. Rhodes's is asked in broad terms, are the panellists finding threat management come to you with this first? Actually, Craig, in broad terms, are you finding sweat management easier or harder or the same with high powered working? What's been your experience?

It's an interesting one, actually. So to touch on what that's been talking about, it's it's become in some ways, it stayed fairly static in terms of external sort of look in terms of the threat landscape, but internally and that the ability to look and understand it has threats increased exponentially. Simple things as printing at home. Windows Ten doesn't need printer drivers installed anymore, which is wonderful. It makes printing much easier, but also makes it easier for people to print stuff as soon as printed.

We've lost control effectively. You can see the screen, you can hear conversations her. We have an effective programme and in some instances there are calls the. A father walks in benign, but actually, if you're talking about something operationally, someone acceptable to be hearing about that. Of course, they might talk about over dinner, so you can't really control that. So those things really have brought in an interesting dynamic. I'm always wary of seeing this, but what is bad does increase the risk to the business.

I'm wary of seeing it is truly bad because if we do, the likely they will run away from it. We'll go back to everybody in the office after a couple years. But I think it's incumbent on US security professionals to establish the middle ground between risk tolerance and risk avoidance. We have to accept there is a new way of working and it's a good thing. But we also have to acknowledge that it does bring these threats. But what we can't do is just close the door.

I think I'd be ashamed if we'd done that, having done 18 months of working, if we just go back to what's the company saying now in the office, in the office, then I became finance is the best example of that, dealing with people's accounts. Where is the middle ground on that? I'm not from finance. I don't really know. But it's an interesting question when I want to come to you on this, because one thing I didn't realise for everyone is you're also a credit provider, which again, goes by ages.

I mean, Teddy Williams with credit provider back in the day for poor people. But that gives you an extra onerous responsibility, but also for working from home. You know, you're not just taking some sales calls. You also taking payment and extending credit to people.

So, yeah. Yeah, absolutely. So I think when we went into it, what I referred to is a dislocated set up. And we have to really look at our architectural design and secure by design approach of how we do those things. So as a as a regulated business by the FCA and obviously we have PCI compliance standards that we need to be challenges just came out of nowhere. How do you control the physical environment once the physical environment, for example?

So then we got to really step up and ramp up and tackle controls that replicable when you was for want of a better word on the land. And we then need to change our whole design posture to to to mitigate any potential risks and then have a pretty robust conversations with the board in terms of how we can do what we can do. But then you get into the very murky wall, sort of getting comfortable with being uncomfortable. Right. So it's and then this is where the whole risk management process really kicks into gear at that point.

What is the the risk over the reward? Clearly, you've got compliance red lines that you can't cross. We need to demonstrate that we need to do that. Yeah, it really challenging time that that is not an issue of three months, certainly.

How how understanding were government and the regulators around that? Because you're trying to come up with questions and say, look, really, really good question, Jeff. If I look at two main regulators in my space, so the FCA and the ICAO, for example, two completely different tones that were coming out initially from the regulators that the ICAO subjectivism and the ICAO tone was Williamston situation that people are facing the examples that are best and do what you can do and demonstrate you're doing what you can do.

The tone was rather much more robust. And which is interesting because we are a small business to like Barclays, for example, who really have much more robust controls in place and great integrity. So you have very, very different, differing views from two key regulators.

Interesting stuff. There's one here for you, Simon, that I'd like to ask Martin Hopkins', ask a question regarding threats that are targeted specifically at two companies in the world, yourself and the others that should remain nameless. Are you sharing intelligence between the two targets on how does that work?

Not yet. But I but we've had conversations about doing that. A dozen banks do it. All the other competitors in other industries do. I don't see any reason why we couldn't share some. With information. I mean, I think we lost a little bit.

So, you know, that's also part of, as I say, part of the game and we might not. OK. Sorry about that. So I can carry on the threat of the deepest, darkest Peckham. So. So, yeah. So I think on those those specific threats which aren't necessarily threats. So that part of the game, they're also a benefit. Both of our businesses. We might not share the details on that, but there's no reason why we couldn't share a broader kind of threat.

Landscapes and and intel on on account of the threats facing, you know, sports, retail businesses because of the other businesses in other sectors. And so there's no reason why we couldn't. I don't think it's interesting know the difference, obviously, being in banks that all the big four, the big six are depending how you measure it. You know, it's it's an interesting situation. When there's two of you I wish you get this opportunity again is part of that kind of maturity, the maturity curve.

And TradeSports spoke about the the collection plan and that sort of thing. I think there's there is a bit of a risk, those of us who've worked in and in different sectors and potentially more more mature sectors to to to assume slightly more of a role than we should. So we talked about that blurring of law enforcement and private actually, we are private businesses. Right. And we're the security team and a private business. So we really should think about this from what we get to do from a business perspective and then what is appropriate from a security perspective and and getting on through the entire programme to a certain level of maturity where we really understand the threat landscape and really understand how that affects our business probably needs to happen before we start sharing.

Indeed. Interesting. I'm going to come to you just in the closing minutes of this. And obviously I've worked with various different clients and you've probably seen a fair amount of sort of flat management programmes and sweat intelligence and so on. If you got sort of key advice that you give to folks in this particular area when you come in, what are you looking for in terms of what's your first intel? What's your site management set up?

Yeah, well, I mean, we you know, that does vary depending on the organisation that we're working with. We very much come from the ethos that we really try and help reduce what we call the blast radius for want of a better term. I mean, we've been involved in a number of instances over the last few months where had we not undertaken some preventive controls to reduce the potential impact, it would have been far worse. And we've seen that and we've seen tangible evidence for that.

So so we always start from from from from the beginning and just do an assessment of what the landscape looks like, what what the level of overexposure is, how accounts or privileged roles are being utilised in the organisation and just try and put some good governance in place. We're quite lucky in the sense that whilst all that's happening, we're learning, we're learning about behaviour. We're learning about roles. So there's there's a certain there's a bit you could argue there's a little bit of a comfort blanket while we're sort of prepping and trying to fix the environment.

But but we really try and spend a lot of our time just trying to reduce that over exposure and just make sure that there's good, good controls in place in terms of behaviour and roles and how people generally get access to the information. And it will it will pay off immeasurably in the event of a breach. And we've seen it time and time again.

Good stuff. Thanks for that. What time is ticking down and apologies. We had a few questions come in in Chris Simon whosay, which I say please to get on to your questions, but also lots more ransomware. We've had other sessions on Thomas documents and you can find on the website, but just a continuingly fascinating topic, that one. I want to thank our panellists for today's session. Really interesting chat with all of you guys. And I've lost my notes.

Craig McEwen, chief information security officer, Anglo American, head of Security Risk and Shared Services and group, some Goldsmith senior director of information security at and of course, Matlock Technical Director, UK. Thanks, chaps. Very interesting discussion, folks. Come back next Tuesday afternoon at four. My colleague Jenny Macklin is back in the chair and she'll be talking about steps towards zero trust, digital identity, life, life cycles with also Armstrong Smith, who's chief chief security adviser of Microsoft.

Also a fascinating chat with that suggestion at four. I'll be back next week at ten. Have a great rest of the week. And if you're in the UK, enjoy a bit of the sun. Hey, can I see you?

Your host:

Geoff White

Investigative journalist Geoff White has covered technology for BBC News, Channel 4 News, Audible, Forbes online and many others.

An experienced public speaker, he has given keynote talks at some of the UK’s largest tech events, in addition to hosting conferences and chairing panels at venues ranging from London’s Chatham House think-tank to the Latitude music festival.


Craig McEwen, Chief Information Security Officer, Anglo American

Professional and motivated leader who has worked primarily in the Defence sector across air, land and sea environments. Skillset includes:

  • Experience in managing large budgets and meeting spending constraints within Defence estates.
  • Well versed in managing large scale projects and bridging gaps between the Defence sector and civilian counterparts.
  • Extremely capable of working remotely either individually or as part of a large team.
  • Capable of working under intense pressure and still delivering results
Lee Howard, Head of IT Security, Risk & Shared Services, N Brown Group

Technology leader with an extensive profile in managing government, defence and E-commerce digital eco-systems.

Highly driven, meticulous and dedicated. Experienced in a variety of roles and challenging environments around the world.

A seasoned professional, leading teams with a positive personality and delivering integral results.

Simon Goldsmith, Senior Director – Information Security, adidas

I have helped to protect military helicopters, central banks and Yeezy sneakers over a 20+ year career in security, IT and financial crime.

A short stint in professional sport taught me about resilience, endurance and performance. Along the way I’ve picked up a few lessons in leadership and teamwork both in the office and on the pitch.

Ever since writing the business case for an Air Force which needed a new IT system to be able to fly its new generation of fighters, I have been passionate about the potential for technology to be a simultaneous cause of opportunity and risk.

Matt Lock, Technical Director, UK, Varonis

I have 20 years’ experience in the field of Information Security, which includes extensive contracts with many global businesses, including BP and JPMorgan. Specialising in risk assessment, risk management, policy compliance, security reviews and managing network behaviour anomaly systems, I now lead Varonis’ engineering team in the UK, Ireland and Middle East, ensuring the team is helping customers and partners from a range of sectors in data governance projects, and organising, securing and managing their unstructured data.

© 2021, Lyonsdown Limited. teiss® is a registered trademark of Lyonsdown Ltd • Registered number: 05832927 • VAT registration number: 830519543

[s2Member-Login login_redirect=”” /]