Anthony Israel-Davis joins the show to discuss what you can do with the DBIR as a practitioner and his perspective on the proposed Cybersecurity Safety Review Board.
Tim Erlin: Welcome everyone to the Tripwire Cybersecurity Podcast. I am Tim Erlin, vice president of product management at Tripwire. I am joined by Anthony Israel-Davis, a senior manager at Tripwire who’s responsible for cloud compliance and operations. Welcome, Anthony. Glad to have you joining us.
Anthony Israel-Davis: Thank you.
TE: Anthony is a practitioner, not a salesperson. He’s on the corporate side of things. That’s what makes him particularly interesting for our talk.
A High-Level Overview of Verizon’s DBIR
TE: Today, we’re going to discuss Verizon’s DBIR 2021. I wanted to have a conversation about what the DBIR is for in our industry. What’s your perspective, Anthony?
AID: That’s a great question.
I think that one thing that the DBIR does is it takes the things that are going on in the cybersecurity space, particularly with breaches and incidents, and breaks them down into something that is both interesting to look at from a statistics standpoint but then actionable to various industries or people who are actually doing the work to defend the enterprise. So, at a very high-level overview of that, if you are a cybersecurity analyst and you’re in the trenches, this might be old news, but if you are doing strategy, if you’re trying to determine what to do in your space, this is a great report to understand what’s going on out there—especially year to year.
The other aspect of this that is near and dear to my heart is when we talk about the cybersecurity skills gap, if you are interested in cybersecurity and don’t know where to start, this report is a great resource. It is very interesting to read. There are a lot of good concepts in here.
TE: I think one thing that gets missed is that not everybody in cybersecurity is an expert. There’s a skills gap, and no one knows everything. People have to learn. They have to start from somewhere. It has interesting data from a cybersecurity standpoint, and it’s also interesting in terms of how it structures the data, how they talk about the data.
AID: Yeah. I would agree with that. It uses something called VERIS, the vocabulary for event recording and incident sharing. It has a taxonomy and a schema that is very deliberate and allows them to take the state of year over year and develop this trending in this framework that allows us to do something with the data.
TE: Yeah. VERIS is an interesting component in the DBIR because it defines actions, threat actors and assets, I think. Those are the three key categories there, but then the Verizon team layers on top of that this concept of patterns. And that’s an interesting piece, too.
AID: Yeah, for sure. It allows us to do some very interesting correlations.
The thing that VERIS does for me that I really appreciate is it breaks it down in a way that allows us, allows me, to look at risk. And a lot of the risk frameworks use this same sort of language. Like if I look at FAIR, the taxonomy uses actors, uses impact, uses exploitability and vulnerabilities. So that allows you to take a look at this and do your own risk assessment based on what’s coming out of the report. FAIR isn’t the only way to look at that, but from a risk standpoint, you could think, “Who are the people who might be attacking me? What types of exploits or what types of things might they try to use to get into my system and take my data?” So, yeah, it’s pretty interesting.
Putting DBIR into Practice
TE: That brings me to the second question: What do you do with the DBIR as a practitioner? How is it useful to you?
AID: That is a great question. Does cybersecurity change in practice from year to year? I would say not too much. But what does change is where you invest your time and effort. We only have a limited amount of time, people and money to spend on cybersecurity.
“Where do I spend my time?” If I look at where people are coming in, it’s very clear that you’ve got to patch, but you’ve got a patch intelligently because you can’t patch everything all the time. So, how do you manage your patching while you patch the most vulnerable things and you patch your most critical assets and the things that are least vulnerable or at least exploitable? Maybe you can spend less time on those because you can’t be patching all the time. You’ve got other things to do. If you know that phishing is the number one exploit still, you really need to invest in educating your people.
Phishing is the scariest one to me because a lot of those impacts that we see and a lot of the things that we’re seeing from ransomware to malware to credential theft are leveraging that type of social engineering. We’re pretty good at fooling each other. We’re very susceptible to those sorts of things. We just have to stay on top of. You’ve got to be vigilant all the time.
TE: You touched on something that jumped out at me, which is the connection between the different types of patterns or the different actions. To give credit to the DBIR team, I think that’s a very difficult problem to solve with the data that they have. They have paid some attention to which actions occur at what point in a breach life cycle. It’s interesting that phishing is at the top of the list, but that doesn’t mean that the phish is the end of the line. Once that successful phish has occurred, its goal is to do something else. So, you must think about layered protection. Stopping phishing isn’t just training our users to not click on links.
AID: Absolutely not. Don’t click on links, don’t open things, but then what do you do if you do? Why not cultivate your employees to be your early warning system when it can have a great return on investment? When you think you have made a mistake, you’ve clicked a link, you need to be able to report that right away.
TE: There’s no downside to reporting. If you’re suspicious of anything, report it. If you think it was a mistake, report it. If you clicked on a link and you had a sinking feeling about it, report it. It is a cultural change to instill in people that it’s not that they’ve done something wrong. It’s not their fault. They’re not going to be shamed for reporting something like that.
AID: Being ashamed of being a victim is a very common thing. And that’s something that gets exploited by attackers all the time. If we can change that to say, “I’m going to actually fight back,” then maybe that will help to build a more resilient response to being under attack.
Biden’s Proposed Cybersecurity Safety Review Board
TE: I want to change topics. This DBIR came out almost at the same time as a new executive order around cybersecurity. The executive order lays out essentially a roadmap of items. One of the most interesting pieces is this cybersecurity incident review board, a governmental organization that’s intended to review significant cybersecurity incidents and essentially do forensics. Is that something you think is going to work? Will it make a difference?
AID: I think it will.
One of the things that we do is lessons learned, and we do this for all kinds of things. We do it after we’ve had major projects. We do it after something has gone wrong in an IT environment. So, having the idea of a lessons learned session and then continually improving a process is endemic to what we do on a daily basis. This is something that happens all the time, but it’s not happening in a coordinated national way. And so, what we see a lot of times is maybe a company gets breached and they do their own internal lessons learned but nobody learns anything from that.
The interesting thing to me is: What does that mean for the industries that are affected? What does that mean for a company that’s breached, and how does that make that company more resilient and better protected? I think it’s going to be a shakeup for the software companies and the service providers that this will begin to look at.
TE: We as an industry are not used to that level of transparency. The first organization to go through this cybersecurity review board could have all their skeletons in their closet laid bare so that everybody else can learn from them. That’s going to be a dramatic and unusual process until it becomes a usual process.
AID: Yeah. We don’t want to expose those skeletons, but by doing so, we become resilient. So, the general public benefits. The individual companies might feel the pain, but overall, we become better for this sort of investigation.
TE: It’ll be interesting to see how they scope out what a significant incident is that requires investigation. I completely understand if it’s something that impacts safety like these critical infrastructure incidents. Theft of credit card data from an e-commerce company? Probably not the kind of thing the cybersecurity review board needs to get involved in.
AID: Think about some of the more famous hacks. Those aren’t necessarily critical infrastructure, but they impacted a lot of people and were very expensive. So, I think it’s going to not just be about power grids and other types of critical industries. It’s also going to be about how much money and how many people it’s affected. We’ll see how that plays out.
TE: Yeah. All right. I appreciate the time. It was certainly an interesting conversation. For everyone listening, I hope it was as interesting to you as it was to me. And I’m looking forward to the next podcast. Thank you so much for spending time with us, Anthony.
AID: Thank you.