[00:00:19.460] – Matt Fusaro
Hey, how are you?
[00:00:22.250] – Jason Pufahl
We’re going to go on a limb today, I think, and talk a little bit about 2022…
[00:00:27.160] – Matt Fusaro
Pontificate if you will.
[00:00:27.650] – Jason Pufahl
What’s that?
[00:00:27.710] – Matt Fusaro
Pontificate if you will.
[00:00:28.910] – Jason Pufahl
We are going to pontificate. What do we think? What’s going to happen in 2022? I think we did the easy job of talking about what 2021 looked like. What do we expect to be those ‘big ticket’ items in 2022? Certainly, we’ve seen some vulnerabilities now that might bring to light increased tax or exposure on some cloud infrastructure. I think we expect to see more of that probably going forward.
[00:01:00.200] – Matt Fusaro
if you look at, the most recent one is Log4j. I’m sure even the common folk have heard about it by now.
[00:01:08.210] – Jason Pufahl
I’m sure it’s not gone by the time this airs.
[00:01:10.100] – Matt Fusaro
Yeah.
[00:01:10.430] – Steven Maresca
Absolutely not.
[00:01:11.830] – Matt Fusaro
I think a lot more of that is going to be prevalent next year. This really affected a lot of providers, a lot of them. Again, simple attack that could be done by anybody. This was really like an ingestion-type thing, parsing. I remember sitting around in a room in a previous life, and there was quite a few security top minds, if you will. This was exactly what one of them talked about. This is going to be the end of security if we can’t get this right.
[00:01:45.060] – Matt Fusaro
He was talking mostly about processing basic strengths. Here we are. This has affected almost the entire industry. I don’t think this is going away.
[00:01:55.130] – Steven Maresca
Anything that’s a parser in itself.
[00:01:57.760] – Matt Fusaro
Exactly.
[00:01:58.770] – Steven Maresca
CPU in disguise.
[00:02:00.100] – Matt Fusaro
Yep.
[00:02:00.370] – Steven Maresca
Absolutely. Log4j is a really good example of something that is a hidden vulnerability. These are tools, for those who aren’t familiar, Log4j is explicitly for crafting log messages, literally to say, “Hey, Joe did a thing with the application.” But it’s a very clever tool. A little too clever for its own good. The trouble is, it was embedded in everything. We think that the next 12 months will have vulnerabilities targeting that type of pervasive component in a way that causes pain for the broader ecosystem of tools that organizations use. They may not have themselves, but they leverage other services.
[00:02:46.420] – Matt Fusaro
If you really pull back the covers of how a lot of cloud services work. A lot of times… I don’t want to say cobbled together, it’s really the wrong word for it, but they put a lot of different software components together to make that happen. You may be interacting with it as a website, as a device that does something with a cloud service that you use like your camera at home.
[00:03:09.370] – Steven Maresca
Or your Roku streaming.
[00:03:11.050] – Matt Fusaro
But at the end of the day, there’s a lot of infrastructure that runs that in the background. It may have access to certain things or certain subsets of that and a small vulnerability like Log4j ends up being a huge issue for the entire infrastructure of it.
[00:03:26.290] – Steven Maresca
To give you a sense of what we’re thinking about, Apache and IIS, those are the world’s biggest web servers. There are others, certainly NGINX; similar. But the point is that those are the most pervasive. If there is a component, which ships with either of them by default, and it’s something that can be subverted, that means that effectively 90 percent of the Internet immediately is vulnerable to that type of attack.
[00:03:56.430] – Steven Maresca
Large organizations that are finding vulnerabilities that are seeking to find things that are the largest impact capable, are effectively spending their most substantial effort on tools of that variety. This is a truism. This is not new necessarily, but the focus has shifted toward those things which are most broadly accessible to the rest of the world.
[00:04:21.700] – Matt Fusaro
Yeah, you’ve said it before attack efficiency seems to be the key here for the next year.
[00:04:27.670] – Steven Maresca
Effectively, I think Jason said a moment ago, ROY in the previous episode, that’s the thought process of an attacker, too. Anything that allows minimum effort with the largest pay-out.
[00:04:42.070] – Jason Pufahl
I think it also shows just moving your infrastructure to the cloud doesn’t necessarily mean it’s just secure. I think there’s always that mistaken idea that, “Hey, we’re safe. We’re shifting risk somewhere else.” The fact is you’ve still got your data there. You’ve still got risk as a result of it. We need to pay attention to that.
[00:04:59.920] – Steven Maresca
The last two years has seen a huge sea change toward collaboration tools and facilities to support working from home. Those facilities now are the most ripe from a cloud service perspective, in my opinion, to be undermined. That might mean redirection of applications that you trust to achieve harm. That might mean something that enables theft of large identities on mass. If I were to go on a limb, that’s where I would say that I see the next step to be, but time will tell.
[00:05:35.490] – Matt Fusaro
It doesn’t seem like it’s a new area. The cloud, quote-unquote has been around for a long time at this point in years. I believe it was on CNBC, I had heard an analyst talking about how most enterprises, 84 percent of their workloads are still local which is crazy.
[00:05:53.960] – Jason Pufahl
I wouldn’t have gone with that much.
[00:05:56.070] – Matt Fusaro
I don’t know how true that number is, but just thinking about that, people are still looking to shift out there, and it’s just becoming more ubiquitous at this point. It just makes sense for attackers to be focusing on that. You also have new technologies being deployed to make that easier. Five G now is becoming actually production-ready. There’s been years of that in development. That completely changes the whole landscape of how people interact with services. Small devices can use it now.
[00:06:31.350] – Matt Fusaro
You’re seeing in consumer devices that you can go and buy. Steve and I were talking about this the other day, there’s not really a lot… The bar isn’t very high to actually deploy your own 5G infrastructure if you really wanted to.
[00:06:44.930] – Jason Pufahl
I think you said you could stand infrastructure up ten grand, twelve grand.
[00:06:50.050] – Steven Maresca
It’s absolutely possible. Part of that is because of 5G’s architecture. Previous incarnations were far more hub and spoke oriented. Five G fundamentally pushes that much closer to the users of the actual devices. That’s part of the opportunity from an attacker standpoint that 5G presents locality oriented, I suppose, is one way of looking at it.
[00:07:14.980] – Matt Fusaro
This was something that CISA. I can’t remember the acronym for it’s a government organization, Cyber Infrastructure Security something. They had actually identified this as something that they’re extremely concerned about, which I found interesting. They’re probably looking at it more on the nation state type of attack level. That’s what you’d be looking at. I’m not sure that you don’t go running home and say, Hey, devices are going to be attacked now.”
[00:07:45.390] – Jason Pufahl
Turn off my Iphone.
[00:07:47.540] – Steven Maresca
What it actually means is more devices that have baseband chips in them.
[00:07:52.590] – Matt Fusaro
Exactly.
[00:07:53.090] – Steven Maresca
Like cars, like trucks for long haul trucking, logistics networks, elements of technology that are hidden out of view, not necessarily in your pocket, like phone, but devices that require that connectivity in order to function.
[00:08:11.370] – Matt Fusaro
Especially with how manufacturing has been affected these past two years now and what’s looking like it’s going to be a third year. You’re going to get things like fraudulent hardware.
[00:08:22.530] – Steven Maresca
Of course.
[00:08:22.530] – Matt Fusaro
Places are going to go and look for other ways to get that stuff into our borders. It’s very possible that you’ll get compromised hardware that can utilize things like 5G to have a serious effect on infrastructure.
[00:08:37.420] – Jason Pufahl
I mean, it’s a fair point. There’s a huge amount of consumer demand for these products and it’s been increasingly challenging to get them. That’s a real possibility for sure.
[00:08:45.410] – Matt Fusaro
That’s something I’m interested in following and see where that goes.
[00:08:50.530] – Jason Pufahl
We chatted here about two specific vulnerability types. I think one of the challenges that we are concerned about, and I think that we’re seeing as we talk to people in the field, is the vendor consolidation, or maybe even slightly outside of that is lack of qualified people with security skills, legitimate developed security skills.
[00:09:13.380] – Jason Pufahl
I think we run across what I’ll describe as that ‘point in click admin’. Regularly somebody who is familiar with the interface of a firewall and calls themselves a security professional. I think it’s very different than somebody who’s a seasoned practitioner. If I were generalizing that, I feel like the support for companies to hire people or companies to find external sources to provide security capabilities. It’s going to be super challenging going forward.
[00:09:40.110] – Steven Maresca
Certainly not to demean the folks who are trying their best. The reality is that there’s a huge drought in seasoned security professionals. That means correspondingly, there is a drought in those who can mentor others that might be on staff at organizations. This is an industry which is in a field, which is really new. Yes, it’s 30, 40 years old in some corners, but the truth is that most people with skillsets in computing really have thought about security in the last decade, maybe 15 years, if we’re lucky.
[00:10:13.810] – Steven Maresca
That means that those in senior levels are rare, they’re highly paid, and they are very mobile because they can command a high salary. Organizations are not ready to meet the actual expectations of that subset of IT staff.
[00:10:33.250] – Matt Fusaro
I don’t know if I’m wrong about this or not, but I feel like it’s pretty much about the same amount of security professionals that are out there. As time goes on, you get more and more people that are interested in it, but it’s the rate. We’re just not churning out enough security professionals to deal with all of the socks that need to be implemented now. Notoriously, a sock analyst is a burnout job. The industry is certainly trying to fix that, but it’s slower than we can manage.
[00:11:06.920] – Jason Pufahl
I think the challenge is that the baseline competency of some of the folks. I think there are a lot of people who are an [inaudible 00:11:14] analyst is that I want to refer to, there’s a lot of people who are really equipped at saying, “My tool”… And tools have gotten significantly better. The information coming out of this tools is great. “My tool told me there’s a problem. I’m going to tell somebody else that my tool told me there’s a problem.” Sure, but I think if I want an analyst, it’s somebody who can say, “I’ve been able to now look at multiple sources of information and understand your real risk versus perceived risk and translate that to the business side of things.”
[00:11:46.100] – Jason Pufahl
That is such a difficult skill to acquire and I think really requires a unique individual to have that.
[00:11:52.220] – Steven Maresca
To pivot off of that statement. That paints a picture about the actual gap that most organizations face, because they have security infrastructure that was deployed by folks who are supporting desktops, people who understand the network, not necessarily individuals with a comprehensive view of how to wire that together to understand data across multiple areas of the organization. The tool tells them something. But that individual or the group of people who might be collaboratively monitoring it, don’t really know how to interpret it together, therefore they’re almost in a similar position as if they didn’t have that tool to begin with.
[00:12:31.220] – Steven Maresca
That’s the main gap. It’s the ability to make sense of the data because, frankly, we’re all behind the 8 ball as defenders of organizations. Attacks move faster than everyone collectively in the industry is able to actually manage. That’s just more keenly felt by those who are being attacked.
[00:12:50.830] – Jason Pufahl
I want to be careful. There’s nothing wrong with somebody whose skill set is taking the data that comes from a tool. Quite frankly, a lot of organizations [crosstalk 00:13:00] that person. You need somebody who can look at your firewalls and look at whatever other tools you have in your infrastructure and say, There is something that’s going on that I need to look at a little more deeply.” That skill to truly analyze it in certain ways, in my opinion, is undervalued, but so critical.
[00:13:19.300] – Matt Fusaro
Do you think it gets better or worse this year?
[00:13:21.110] – Jason Pufahl
I think it gets worse.
[00:13:22.310] – Steven Maresca
I think it gets worse. Correspondingly, the reason for that is that unable to fill positions, organizations shift towards services. That’s not a problem, we provide those services. They can be quite successful. It’s just that at the moment, there’s a substantial change in the security provider market, and the number of providers is dwindling, because of mergers and acquisitions, and alterations in business process, and structure.
[00:13:54.310] – Matt Fusaro
I’d say last year there was just a flood of private money, public money that went into creating cybersecurity businesses.
[00:14:04.270] – Matt Fusaro
A lot of them didn’t work. Some of them did, but the ones that did there was a large number. We’ve got this, I guess, sprawl of point solutions now, we’re going to say consolidation that we saw it with networking.
[00:14:20.110] – Matt Fusaro
The brocades of the world and things like that, they got consolidated into HP and Ruckus and all that. We saw it with MSPs. You saw the private firms taking a lot of those in to be conglomerates almost. Security is next. A bunch of money went in, now it’s time to consolidate. The people who put that money out there, they want that money back now.
[00:14:46.520] – Steven Maresca
The way we expect that to be seen is that the vendors with whom organizations have developed a relationship are likely to shift. They will be working with people who are new to them who may not quite understand the business. That shift in participants is going to feel somewhat painful. There will need to be a relearning required. There’s a cost to that as well. I think that similar to the drought in security staff, the substantial change in security providers will actually cause some degree of grief.
[00:15:25.760] – Matt Fusaro
I’d say the takeaway there would be, be nimble next year with the products that you have. Make sure your processes are good to actually pull a solution out and put a new one in. If there is consolidation, you’re going to have to deal with that.
[00:15:41.760] – Steven Maresca
Evaluate your vendors. We always advise rotating vendors in general, you want different perspectives. It helps keep people efficient and nimble, but plan for it.
[00:15:53.680] – Matt Fusaro
Ask about the business a little bit. It’s okay to dive in and ask them some hard questions about how are they funded. Get some confidence and are these guys going to be around in two years, three years? If you’re buying a product for that long, they’re going to want to sign you on for that long. That’s for sure.
[00:16:12.700] – Jason Pufahl
Everybody wants multi-year contracts for sure. We’re seeing it. As always, there’s a lot of competition in the security space. People buying for business. You see a lot of similar products out there. Longevity is going to be important because you want to make sure you have something that you can rely on that you can train your staff on and really get that value out of. I think we’re maybe optimistic still, that we’ll continue to see an improvement in security maturity over the next year.
[00:16:44.890] – Jason Pufahl
It’s a challenge, a little antithetical to the security skills issue. There are reasons why companies now are incentivized to move forward on more formal security programs adhering to standards. We talked a little bit about cyber liability insurance, driving changes in the market a little bit. I do think 2022 is going to show increased awareness on how do you build a mature and sustainable security program in alignment with standards. I think we’ll see that and I’m optimistic that we’ll actually get some iterative improvements just overall on that proactive side.
[00:17:23.190] – Matt Fusaro
I think it’ll be nice to actually see… A lot of this is the result of the security industry actually starting to work. It’s no longer the segmented communities that either make tools or have recommendations. It’s now, a lot of us are working together. We have good solutions. It’s iteratively getting better. Now with insurance companies and like you said, a lot of these compliance frameworks are actually starting to solidify and have good recommendations, in my opinion, I’m hopeful.
[00:17:56.510] – Jason Pufahl
You can’t be everything to everybody. I feel like we regularly have requests from clients for things that we just don’t do on a daily basis. I think part of it is maybe a little bit in that consolidation side. We need partnerships. I think there’s a lot of opportunity for companies to find good, qualified, embedded partnerships out there to deliver a cohesive solution to their clients. Without necessarily having to be experts in everything.
[00:18:23.470] – Jason Pufahl
I think we’re mindful of it. I think the people we work with typically are that. There’s a lot to this space and understanding the business, understanding the risks and driving solutions that reduce all of that, they’re really important.
[00:18:37.510] – Steven Maresca
The most effective security professionals and security vendors will be those that are willing to say, “I don’t know.”, or to admit a gap in knowledge. The field moves too quickly. Attackers are developing techniques which are entirely unknown as of today, they’ll be new tomorrow. They were theorized 20 years ago. It moves too quickly. Partners who are willing to talk in a real way are those that are worth pursuing and similar with the employees as well.
[00:19:04.400] – Jason Pufahl
I think that’s that collaborative approach. Our job is to do the best that we can for our clients and we’re not doing that if we try to engage in work that we’re frankly, not that good at. I think if people can recognize that and behave with that sense of honesty, integrity, authenticity, we’ll see a real improvement there, I think.
[00:19:23.790] – Matt Fusaro
You can no longer kind of just flow along. I think AV vendors are probably the ones that are guilty of this for so many years. You can’t do that anymore. I think 2022 will just be another iteration of we’re going to see what vendors and what security groups out there, the actual people know what they’re talking about in real.
[00:19:45.090] – Jason Pufahl
For sure. I think, as always, we selected a few things that we think are going to be important. Certainly, I’m legitimately concerned about the skills capability gap. I do think that’s just going to get wider. I do think we’re frankly promoting a lot of people in the industry who have fairly basic skills, but because they’ve been in it for a couple of years, they have this field of almost being senior. I don’t know that our mentors are always necessarily the best, just given the way this industry is evolving so quickly.
[00:20:17.130] – Jason Pufahl
I’m legitimately concerned about that and I think that is going to continue. We could probably talk about the same thing in 2023, quite frankly, but I do envision talent being a real challenge this upcoming year.
[00:20:29.830] – Matt Fusaro
I’m not really sure how to fix that yet. It’s a tough one.
[00:20:32.660] – Jason Pufahl
Yep.
[00:20:33.510] – Steven Maresca
My biggest concerns are going to be attacks against key core infrastructure that, as we talked about in our last episode, malicious entities have somewhat avoided being off limits.
[00:20:49.000] – Steven Maresca
I think that that restraint may drop, and that will be the largest main impact that we feel. If your 5G device is undermined in your vehicle and it stops on the side of the road. We’ve talked about vehicle attacks before, not exactly the biggest threat, but if 5G is undermined, you don’t know where you are and you can’t use your phone to navigate, and your car won’t navigate. It’s a bad day for millions of people.
[00:21:21.730] – Jason Pufahl
As always, we selected some things that we thought were important to us. Frankly, there’s probably another 10 things that people could ask about or talk about. If you want to reach out to us; Vancord Security on Twitter, Vancord at LinkedIn. We’re happy to continue the conversation. We’re happy to have an upcoming episode on… “Here’s what everybody thinks we missed when we came up with our list of four or five items here.” Feel free to reach out to us, but hopefully it gets you thinking a little bit.
[00:21:49.510] – Jason Pufahl
Hopefully it’s not too bleak a picture, because I think there’s probably some positives as well. As always, we hope you got some value out of this episode and look forward to having you listen to future ones. Thanks, everybody.
[00:22:01.510] – Speaker 1
Stay vigilant. Stay resilient. This has been Cybersound.