🔒 Security Week Fireside Chat: Michael Coates, Nate Lee & Joe Sullivan
Presented by: Joe Sullivan, Michael Coates, Nate Lee
Originally aired on February 23, 2022 @ 1:30 AM - 2:00 AM EST
In this Cloudflare TV Security Week segment, Joe Sullivan, Chief Security Officer, will host a fireside chat with Nate Lee, CISO, Tradeshift and Michael Coates, Co-founder & CEO at Altitude Networks & former CISO @Twitter, LastMinute Group, where they will discuss data leaks and exfil.
English
Security Week
Interviews
Transcript (Beta)
Hi everyone. Welcome to Cloudflare TV. My name is Joe Sullivan. I'm excited to be here this afternoon.
I have two special guests and we're going to be talking about data leaks.
We're all security leaders or former security leaders who spent a lot of our time thinking about how to protect our environment and you know that whatever it is our company organization has been entrusted to protect for our customers.
And we try and stop the bad guys from coming in the front door or the back door or any other door.
But more even more importantly as we try and prevent the secrets and sensitive things from going out the door.
So let me turn it over to my two guests introduce themselves.
Michael let me start with you. Great. Well thanks for having me Joe.
Really excited to talk about this. Everyone my name is Michael Coates.
I've been in the information security career security space my whole career.
I'm currently the CEO and co -founder of a company called Altitude Networks.
Prior to that I was the CISO at Twitter. Something that you have probably heard of.
I've also been in other roles like the chairman of OWASP the nonprofit for application security.
I was head of security of Mozilla at one point. And many years ago I was the person doing the hacking breaking into governments and banks to show how the bad guys get in and hopefully have that fixed before they actually do.
And on my side I'm currently the CISO at Tradeshift still running a business to business SaaS platform.
And before that I had come up with a engineering background and found my way into the security space about five years ago.
Great. And as I said my name is Joe Sullivan. I'm the CSO here at Cloudflare. I've been here almost three years.
My security career started I was a federal prosecutor back in the 1990s and got into cybercrime then.
Started prosecuting cases ended up in 2002 going over to eBay.
Spent a few years on eBay's trust and safety leadership team.
Worked on the PayPal side of the house for a couple of years then moved to Facebook in 2008 was CSO there up till 2015 when I went to be the CSO at Uber for two and a half years before this job.
So it's been spending the last 20 years thinking about how do we keep the sensitive data inside our organizations from being stolen.
And that's really the topic we're going to dig into today. You know there are a lot of products out there you know that have been around in the last few years called DLP data loss prevention.
Some of them have worked well some of them not.
There have also been a lot of different controls put in place or in some of the control frameworks that talk about like minimum things that companies should be doing to prevent data from getting out of their enterprise.
Michael when you step back and think about it when you want to stop data from getting out of the building how do you start to think about it?
What's the first question you ask yourself? You know the very first question I ask is because like what kind of organization are we?
Because historically if you go back to the big walls big perimeter if you're that kind of organization then all of your data is in one place.
And you can think about putting that strong perimeter approach of let's have rigorous controls anytime somebody wants to make an FTP external connection.
It's going to go through the firewall team.
We're going to heavily moderate that. Let's think about physical USB devices.
They walk out the door and maybe we even have turnstile and guards if that's our threat model.
And that kind of scenario may work in that world. But as you ask yourself that question you may say well that's not us at all.
Our offices are distributed.
Our employees are working from home. We're interconnected to business partners in cloud.
And then suddenly you say well that whole traditional model of on-prem DLP thinking doesn't work at all.
And you can try and jam it in there and you can check a box with your compliance saying we got DLP.
But you're just going to be spending money and not getting a lot of a lot of return.
So that's where I'd start.
That's the first like the realization of like what are the threats?
In what ways are data moving and leaving? So we can start to think about how we're going to tackle that with a reasonable approach.
Yeah kind of implicit in what you said is like understand the organization but also understand what you're trying to protect right.
And the reality is most of what we're trying to protect inside our organizations needs to be accessed by a good percentage of the employees in the organization right.
So like it's one thing to have like the secret recipe for Coca -Cola that sits in a you know is in a physical safe or something like that.
But that's not the reality of modern businesses is it?
I totally agree. Like it gets to that classic notion of we can make things super secure but at the expense of the business.
And then we may have a very secure company that is out of business.
And so data couldn't be more valuable today and the speed at which we move around with data.
It's really not even acceptable to go to that old model of well just ask the security or team to authorize your access to this system.
Like even that in most businesses is just a non-starter because then they're going to wait around for a ticket to be processed for a day.
Like your business will drive or slow to a halt.
And so that's the new challenge like how do you think about data security when any employee is authorized to change permissions.
And then that data can move in all sorts of new ways at a moment's notice.
Right I mean Nate when we were kind of framing this up beforehand you I think made a really good point that like we're not just worried about like the way I described at the beginning the bad guy coming in and trying to grab the data and walk out.
We also have to worry about inadvertent data leaks. Yeah and I think I mean that that dovetails on the point Michael just made which is you want to enable employees and people within the business to get their job done and do so with less and less friction.
But at the same time part of that enablement is is a great amount of responsibility that's being pushed out to the edge.
So it's not just data being pushed out to these distributed sources but it's also the responsibility for being a good data steward and partaking that.
And I think that's where certainly just having a security team focused on this it's it's very difficult right.
You need people to be aware of of all of the systems and and how they interact and and what their responsibility is and and how their actions can impact that.
So I think it really does require a different mindset now versus the the vault mindset of having everything kind of in one place that that companies had been doing up until I guess fairly recently.
Right I think Michael alluded to this idea that you know a lot of us in security 15 years ago thought about building a big moat around our organization and you know we defined it at some kind of corporate network perimeter and it was an easy model for us intellectually to think about all the data and all the employees stay inside that perimeter and all the bad stuff we try and keep outside completely.
And so I remember a long time ago when I was building a security team one of the first things we invested in was kind of a network perimeter monitoring system that was looking at all the traffic that came into our corporate network and we only let our employees out to the Internet through you know a very specific tunnel and then as our employees started getting all over the world and taking their laptops to Starbucks the model started to break down quickly.
It sounds like that model just doesn't exist in real world anymore does it?
I completely agree and even more so not only is the connectivity distributed the data itself and where it even resides.
So it's both employees connecting all over the place but the data's moved from inside the company to over here in this cloud app over here in this SaaS app at this infrastructure service and so the the notion of perimeter security could be updated to the perimeter where it's the data but that data is anywhere in the world.
That's where things get really tricky and you know what what I love I think Nate mentioned also was around the intentional theft or the accidental sharing when the threats are both purposeful and accident and it's a new way of thinking in our security worlds because we've always been focused in security on who is specifically trying to exploit this vulnerability that my mental model makes sense there but what if it needs to incorporate people trying to get their job done and just making mistakes and that kind of flips things on their heads a bit for how we are used to thinking about things.
Right yeah and having having visibility into all of these different tools I think is is definitely one of the big challenges because you have teams and and they're using whatever the the best tool is for their job which is probably a SaaS tool at this point and at some point it becomes unscalable for you to by hand be managing kind of the security posture and each of these and the security settings and what if somebody misconfigured things so yeah the challenge I think that a lot of companies are facing now is how do you get visibility into the tools that people are using and to ensure that with these extra responsibilities you're giving to people that they're they're using it properly and that you get visibility into where there are misconfigurations that can accidentally lead to data leaks.
Yeah I'll never forget the first time a couple of companies ago my security team was investigating I think it was an accidental exposure of data and we contacted the SaaS provider and asked for logs and they said we'd be happy to provide you with the logs of what your own employees did for a fee and I quickly realized that you know within the in the traditional perimeter context where we were kind of the gatekeeper we were able to make sure that we had all the logs and we were able to write rules or build models against those logs or and buy security products that had those rules and models built in in this SaaS first world that we're all in now or at least hybrid how do you the two of you think about going at getting visibility into what's happening to your sensitive data that's not inside your perimeter?
Well you know I think I think you have the traditional thinking you can take towards it or you can take a pause and maybe take an updated approach to your thinking the traditional thinking would be go acquire the logs which you probably could if you built connectivity into APIs pipe them into a sim and then spend a lot of time learning what those alerts are and writing your own things and that world has its place I think you know the sims are still there and people still work on those but that model is also pretty expensive and one of the things we've learned the reality of working with these other platforms is you are beholden to them if they want to change the way the logs are formatted they want to change the functionality add new features they're rolling that stuff out all the time do you want to build that yourself to figure that all out and then I think there's the other way which is saying we could go after solutions that are thinking about this data security problem specifically and are ready to plug into these platforms with an understanding of this and this I think gets into a whole fundamentally new thinking across the board which is our security tools are so hard like we should push our vendors to do more of the work for us instead of just saying hey I gave you a tool you just need 12 engineers to work with that tool like oh my god that's not much of a solution is it so I mean I'm a little biased here of course too because this latter category is where I live you know building like more intelligence into understanding the sharing understanding when it's accidental versus purposeful versus sensitive or it's not but I do think it's a new way of looking at things which is only going to grow in interest as we keep collaborating and working in the cloud right yeah and I think that's definitely I mean the right way to think about it because with with everything else these days right with Amazon and other services that you're also seeing to Salesforce their best of breed their specialist in that that's their core competency is doing whatever that is infrastructure or platform and if you look at how you're going to analyze all the different events coming from all these different tools like Michael mentioned there's different log formats none of this stuff is standardized it's never going to be your core competency to be vendor to vendor to vendor trying to normalize these and make sense of it and I think again that's where looking at companies who specialize in this right where it's their their core competency I think that that's certainly an area that I'm looking more into because otherwise as you said it's it's really expensive right if we're just gathering all these logs trying to make sense of it sorting through false positives false negatives it's just a lot of effort and the the return is not ever going to be there as these things scale out right I think one of the challenges is definitely that the inconsistent logging the like like as Michael said if you try to go the traditional approach the logs that you're going to get from every one of these providers is going to be fundamentally different from the last we did we did a blog post a week or two ago because we had a little compromise situation with our Verkata cameras in some of our offices fortunately we had the cameras isolated on our network number one and number two the offices were all closed during the time period in which the compromise happened but it was a real it was really interesting to reflect on you know here's a third-party product cloud -based with access to some part of my environment because we've implemented that technology and even though it's physical cameras it's actually no different than a piece of any other piece of software running in my environment and we had great logs because we had we had implemented a network extrusion system for in our in our office network so we had I actually felt like we had better quicker logs than the than the SAS provider and in the dialogue with them about trying you know analyzing what happened we had we because we had our own logs we had a source of truth of what had happened in our environment that we could get to faster than relying on that that technology provider but the other part of it in that compromise situation it was the outsider didn't compromise didn't go directly at attacking my environment they attacked that vendor and then you know like it's the supply chain risk that we all think about by compromising Verkata they they assumed like the super admin role of a Verkata employee and customer support and then could act like go into any company and so thinking about it made me think about the when I think about SAS products I think about my employees access and I've done a lot of my security focused on managing the logs around my employees or someone assumed the identity of my employees accessing those environments how do we get better visibility into the SAS provider themselves have you have you either of you seen anything interesting or innovative in in those contexts so one of the things uh and this is more the scary situation but we saw exactly on that supply chain risk where uh you know companies are trying to wrap their heads around human access to data in the cloud platforms but then there's also the secondary path of application access so you know we could all authorize I don't know DocuSign to connect to our cloud apps I'm like oh that seems reasonable that's helpful uh and then perhaps somebody makes a mistake or an employee makes a poor decision like I'm gonna authorize Pokemon Go to connect to my corporate data all things are like nope we don't want that so some companies have you know thoroughly locked that down and turn that off but because it's not just employees because it's contractors and business partners we've actually seen situations where companies outsourced legal team they installed a cloud backup app which backed up their stuff from the cloud great and every file they could touch so it reached into their customers and started pulling data out and so really to your point of this supply chain third-party risk it has its new face in data sharing data access um I think to answer your question the only way to start to tackle that because you have no control over these third parties per se is to go to the root and to say if we know who's touching the data because of our integration with those SaaS apps then we have a chance if we have systems that are fast enough or real-time or continuous to actually see those types of things happening um but it's certainly a new variation that we were we were surprised to see at least and and definitely I mean I think um with all of the different integrations that that was something we caught uh a couple years back like you mentioned just uh employees being able to hey I have Google Drive oh this that this tool will be helpful and install some sort of uh OAuth token that that's going to have access and and realize that this is a giant hole so we we moved that over a while back to allow list only but I think there's plenty of companies who either a don't see it or there still are things you need to share right and and to get to the earlier point of at scale you you can't be expected to to manually manage this so you do need things that are going to have that aggregate view of of what's being shared with who and and hopefully have some sort of way to identify a baseline and then you can at least alert on anomalies and throw some human heads at at identifying kind of what's the the intent behind what's happening here because you still need people to look into this and and there's going to be plenty of false positives but having that sort of visibility to at least know that something's happening that seems suspect I think is pretty pretty key going forward here excuse me there was a buzz phrase or acronym I heard a lot three or four years ago and I haven't heard much lately user behavior analytics that was really kind of looking at you know like I think what you're getting at when you talk about rules like an employee typically inside their corporate environment is doing a b and c and then all of a sudden you know you know for the last two years they never downloaded a gig of data from a code repository or something like that and all of a sudden they've downloaded the entire wiki for the whole company and and it sets off an alert and it's probably more ideally more subtle detection than that have you thought about user behavior analytics and is that something we should be considering in this context I think it was a cool industry direction and I think what we realized from it was it's not a product but it's a feature and it's a feature that should be in a lot of different places so I totally agree that if we're thinking about protecting data from x fill and we recognize that there are the two core categories of accident or purposeful malice then in that malice category is everything around behaviors and just like you said like the act of downloading a large number of files should tip off someone and I kind always take these things back and think of it from the being deposed or having New York Times reporter you know all things we don't necessarily want to be doing in a poor situation but if they're to ask you that question like so tell me again they downloaded how much data which they never do and you saw nothing like those are the kinds of things like yeah that does seem like we should have at least entry level controls and as we could get better with data science machine learning sure maybe we can get more nuanced variations but we've got to be of course conscious of the the false positive efficacy trigger because we could be chasing alerts all day long if we do that poorly but there certainly needs to be some visibility of either massive downloads high rate of viewing high rate of edits which maybe is a new variation of encryption in the cloud or locker of some sort so totally on board with the need for those things yeah I mean I think otherwise the the false positive thing that's I mean with traditional hits or or anything like that it's the same same sort of thing right you you can get something stood up and running and and feeding you alerts but any of those out of the box are just going to kill your team with with responses and kind of tuning alerts and looking at how do you make that so that you can be more focused on on things that actually do deserve your attention and that that is why I think I mean as as these services mature having the those same models likewise mature because the the companies that are going to be focused on this are going to have data from any number of of different companies using a given service versus if it's just myself trying and my team trying to do this again it's it's going to be a lot more expensive so I think that's that's certainly a direction where I would see a lot more value and expect a lot more value to be coming in the future now one of the one of the features of traditional DLP was this idea of actually blocking the exfiltration so you could think of it as like somebody created an attachment to the email and they tried to email it outside the company and the DLP tool would see oh they just attached a spreadsheet with a bunch of social security numbers or credit card numbers in it so block that and it never got out does that model exist in modern data loss prevention do our companies implementing tools that will actually block like that currently and I think it's it's still a problem I mean you obviously don't want someone doing that but I think just the the surface area has expanded exponentially with all the different services I mean email is one thing but they could be in a joint slack channel and uploading stuff or they could be sharing a drop box folder or whatever it might be so I think it's it's still there it's just a greatly expanded problem for the today and I've also seen it grown because there's the act of moving the data which is one huge risk and in some situations instant awareness and the ability to pursue them through other means be that legal is powerful and then on the other hand there's all of those opened doors from the misconfiguring of files and so while the data hasn't technically left it's basically at risk for breach the moment that link is shared in the wrong slack channel emailed to the wrong person and people like oh the link is out of the bag and so those are not so much as pulling the data back in but having the ability to actually find them and just close the doors so I think it's a little bit more varied in the new world.
Yeah I think with one of like the really basic things I've tried to do with my teams and with employee education is really get everybody to understand I don't ever want them to attach anything to an email they should always be sending a link and the and then for all of the kind of platforms that we do use for sharing of links I make sure that the default visibility is locked down to at least you know only inside the company so that if you know if I send to the two of you a link to you know a spreadsheet that has my team's budget or something like that you'll get a link but what you want to actually be able to access it without our multi-factor authentication to show that you're an employee of my company.
What are some other little kind of things like that that we could be telling people to do in terms of getting ahead of these risks?
One of the trickier items that comes up that employees can play a role unfortunately many times when you go to share a document with someone it will auto suggest a recently used email for them which may not be the work address and so it is a point of user education to be diligent like which Bob email address he's sending it to.
On the other hand it's also a risk to be aware of that no matter what there will be some amount of buildup of sharing to personal accounts that won't get corrected and will pose a risk when someone leaves the company they will keep access to files and not just a snapshot of access but updates to that document real-time access.
So both user education there and a consideration of holistically how are you figuring out your personal email account access across all of your you know millions of files.
Right yeah I've actually had that problem come up quite a few times where an employee who's new they're on their phone and they get a sensitive email with some internal information they hit reply all and then they want to add you know a Michael at the company to that thread and they start typing in Michael and then it pre-fills but it's the Michael from their old company that who's in their contact list and they're going quickly and they're on their phone it's a small screen and they wear glasses and they're not wearing them at that moment and they hit send and then someone else says reply all did you really mean to include Michael from your old company and I actually saw a situation I was familiar with from another company where a financial leader at the company did that and they had to physically go out to the recipients and require them to sign NDAs and validate that they hadn't done stock trading on the information because it was a public company sensitive data.
Once the data is out of the bag it's really hard to pull back.
Yeah it can happen just like in the emails and also in the context with the files and the sharing platform too it's that's wild.
Yeah I think I mean the user education piece you touched on is is important to but to think about it not necessarily of we can expect users to understand all the ways that things can go wrong and all the technical considerations I think it's important to help users understand what sort of situations could lead to problems in a more general sense and let them know hey expectation isn't that you know everything but you should be aware of things that can go wrong and things that might look suspicious like if you are on an email threat and you see someone has added someone personal and make sure they know that's the sort of thing that the security team's here to help for so you kind of can expand your presence by making more people aware of what sort of risky behaviors are out there and have a funnel for that information into your team.
Yeah so wow the time's gone by really quickly we only have three minutes left so I have one last question.
When I look at products out there that talk about oh we have machine learning built in we'll do the anomaly detection the behavior analytics we'll block the risky thing we won't let and we won't get in the way for you know for the good communications and good traffic.
How do you evaluate those products like we acknowledge we don't want to have a bunch of alerts going to our security team that's just noise and we also don't want to block our employees from doing their job.
When you look at a security product that says it'll like use technology to filter for you how do you develop a confidence?
I mean for me it's referrals are going to be a mindset like we were talking about earlier you know are they a cloud first company or are they kind of a more legacy setup technology wise and getting feedback from people who are using it and have experience because I think it's going to be hard to kind of get that confidence without someone you trust getting that feedback of real world use.
Yeah I love that question Joe and it gets to a sad element of the security industry in general which is there's too much overhype in words and saying we can do this we can do that and when I started Altitude Networks I was very much against that whole thing and we adopted this model of what if we just showed you like because of an easy deployment like we will just plug in in the 10 minutes and just give you a preview what we have and you can decide if it's valuable to you or not from that point and I like that because the reason you know Nate you said referrals it's because these people have actually used it for real they didn't read the brochure and then said do it like they put it in their environment and I think that's where we need to be with more products because the technology behind the scenes is is hard but we're going to see it in what comes through like all right is this valuable are these files I actually care about are these risks accurate is it easy to use and there's no way to know that besides actually getting in there and trying it out.
Yep I agree with both of you that's I see it in terms of the products my team and I choose for doing security here at my company and also see it in terms of the adoption of our products the model we have is you know we give away a lot of our products for free and people use it and get to kick the tires and realize and can see the value or lack of value in their environment and I always get troubled when I ask my team hey I got a free version of a product would you check it out and they'll say Joe I need three people to run that product so like nothing's free if it causes a lot of noise and overhead for the security team so so it sounds like from this conversation we haven't completely solved data loss we've got plenty of work to do and there's opportunity for more products and development on our team so we're we're just about out of time so let me just say thank you both for joining me this conversation filled the time really quickly thanks for having us thank you