In this episode of SolarWinds TechPod, Tech Talks, host Alex Navarro discusses security threats, the importance of practicing good cyber hygiene, and best practices for managing users and their devices with Mav Turner, Denny LeCompte, and Jim Hansen of SolarWinds.
Coming to you from SolarWinds HQ in Austin, Texas. I’m Alex Navarro with SolarWinds TechPod. This is Tech Talks. I’ve gathered some of our brightest minds for a security quickfire discussion;
Mav Turner, VP of Product Strategy at SolarWinds…
“It’s not just about the technology. It’s people, process, tools.”
Denny LeCompte, General Manager of our Cloud portfolio…
“Don’t do dumb stuff.”
and Jim Hansen, VP of Products, Security and Cloud.
“If you’re going to get compromised, you probably want to have something in place to go find some of that suspicious or malicious activity.”
ALEX: Most people think external threats are often the biggest threat. But in your experience, would you say that there is new evidence to suggest that, really, internal threats are a bigger concern now to organizations and enterprises?
MAV: I think the thing that a lot of people don’t understand is that when you talk about external versus internal threats, the malicious insider versus an accidental insider, right? So most organizations don’t really have a problem with the malicious insider. Some do, so it’d be very clear depending on what industry you’re in. But most businesses, it’s really about the accidental insider that’s taken advantage of by an external threat. So not trying to not answer your question, but it’s usually, that’s the thing that you want to look out for, right? You want to look out for that accidental insider that can be leveraged as an attack. If you look at a lot of the data breaches that have occurred recently in the last couple of years, it’s usually an external actor that’s doing that, but they’ll often take advantage of an untrained insider.
DENNY: The reason you have a big risk with insider crime is because it’s sort of a crime of opportunity. Somebody has a job, they work for you, and there is some opportunity for them to do something that they shouldn’t. And, it, it may not be that they’re going to make money off of it, but they’re going to violate some policy, maybe move some data. They might not even think of it as a crime, but they’re there and there’s lots of them. And you know, whereas the guy from the outside really has to go to a lot of trouble to figure out how to get to the inside, people in the inside know a lot already. They have tons of permissions. All they have to do is probably go escalate those a bit to something they don’t have yet.
JIM: When you think about all the threats that are out there, a lot of them come from the outside and people don’t really think about what’s happening from an inside type of perspective, right? We spend lots of money on firewalls and perimeter defenses and all of these different technologies to help us find the things that are trying to break in. But in a lot of cases, the things that are already there are the people who are inside the organization. And if you go and you think about even some of the different types of situations in the past where, for example, Edward Snowden, right? CIA guy. This guy had access to lots of sensitive information, and he exfiltrated that. There was actually a breach, if you recall, back in 2015 with Anthem. It had nothing to do with an insider, but what you probably don’t remember is back in 2017, there was actually a person within Anthem who had access to patient information and other types of data and they actually took it and they had been doing so since as early as 2016. And it’s a good example of an insider that has access and they’re using the access that they have in a malicious way to go take the data and do something nefarious with it, sell it or, or something like that. Now when I think about insider threats themselves, I think about it really in two ways. You’ve got two classes of insiders, right? The first of which is the malicious user, which a Snowden and this other person we just talked about is a good example. The second type of insider is the careless, untrained type of user. And this is just the everyday person who goes around inside of the organization. They’ve got access to data, they’ve got access to systems, they’ve got access to all of the different places within the environment where the critical data resides and they just do silly things, right? And those silly things could be, I go to a website, which maybe I’m not supposed to go to, or I think it’s an OK website and there’s some kind of malicious code on that website.
ALEX: Who does that on a workday?
JIM: Nobody, right?
ALEX: Never heard of that before.
JIM: Never. People use dumb passwords. Hey, my password is “password” with a zero one but I’m going to use a zero instead of an o. And things like that, right? They just do silly things. And the reality is all of these little things are just a function of just not really paying attention to the fact that cybersecurity is kind of a big deal. And the reality is we’re also all mobile, right? So we have our laptops and our phones and we take those devices all over the place and we’ll go to a Starbucks, we’ll log in to the Wi-Fi or we’ll go to an airport and we’ll log in to the airport Wi-Fi and all of these places could be yet other places where malicious people are looking to try to attack machines. Right? And if they’re not, for example, even patching their machines, that becomes a challenge because now I can attack my computer. If I get compromised and then I bring my laptop back into the, the company beyond those perimeter-type things that are trying to protect me from the outside guys. Then what happens is now those, those insiders become effectively outside types of threats because now the bad guys have access to the network and all of the resources that that user has access to as well. So it’s a big deal and we’ve seen time and time again with customers that I’ve talked to. We even ran a survey just recently, which highlighted the fact that a large number of organizations look at this insider threat as the primary threat vector that they’re most concerned about even above other types of, uh, external types of threats as well.
ALEX: In your opinion, what would be some of the most vital SolarWinds products for security needs at this point in time?
MAV: There are a lot of different products SolarWinds has. One that comes to mind for this specific topic is Threat Monitor and this is a great product to detect and respond to incidents. It brings everything together, allows you to take action, allows you to identify where the risks are in your environment. That’s the thing that from an advanced capability is going to really provide you a lot of power. But also I’d like to talk about kind of the basic products that help you with, you know, day to day blocking, tackling what are those basic security essentials that you need to be doing in order to ensure your environment is secure, your business is operational. And that can be anything from backing up with our Backup product to virus detection and response. So those products are going to be really great for ensuring that your essentials are taken care of. All right, so there’s kind of two different spectrums. We have many other products that can help, but those are the three that come to mind immediately.
As an organization matures, it will use different tools, right? It’s not just about the technology, it’s people, process, tools, right? That’s kind of the standard that happens all the time and you want to make sure that you’re using the right tools for the maturity of your organization, right? We don’t want you to come in and buy something and think it’s going to solve all your problems because it actually has to work with that other parts of your business. It has to work within your process. It has to work for the people that you have running that tool.
DENNY: So we’ve got, you know, quite a few security products. A couple that you might want to focus on. One is a product called Threat Monitor, which we acquired last year and launched and it is a, like, it is going to do both inside and outside where it is going to detect anything that should not be happening. So it’s looking at all the data coming in across the network, on inside of your servers. And then it is running rules against those to see if kind of obvious known bad things are happening. And then we’ll send you an alert and you can go do something. Another one that is very much focused on insider threats is Access Rights Manager and what, what we call ARM. And what it does is it will help you go through all of your infrastructure. So like your Active Directory, your files, OneDrive, all of that, and figure out who has access to what. And it will do a kind of analysis that will tell you whether there are just obviously bad things like passwords that don’t expire or people who have permissions in very powerful groups. So we help you see who that is and go clean that up.
JIM: You know, what’s interesting about SolarWinds is that for the longest time, SolarWinds has been really heavily focused on IT people. We sell to the IT professional. And when you think of SolarWinds, you don’t really think of us as a security company, or a company that even provides security solutions, but it turns out we actually have a really rich portfolio of products that do a lot of different things across a lot of various areas. Now, I’m going to cheat a little bit. I’m going to talk about two different products today, which I think are really interesting. The first of which is Access Rights Manager. This is a product that we brought into the portfolio just a few months ago. And the point of this particular software is to provide people with visibility into what users are doing within their environment, right? So as a user, you have an account. That account has access to certain file servers. It has access to applications and resources within the environment. And of course, all of those permissions at some level have to be managed, right? Because if they’re not, what happens over time is that people just gain more and more access to things. But imagine, the more access that you have, you’re a great target. If I can compromise you and you have access to that information system that I’m trying to steal data from, well I have a way in and I can use you as a way to be able to do that, right? So Access Rights Manager is designed to be able to help IT professionals and security professionals monitor all of the access permissions within the environment and also apply a principle called least privilege. And least privilege just means if you don’t need it, don’t give it to you, right? So think about the distribution lists or hey, you’re not being inside of the HR team. Do you really need access to the HR system? Probably not. Right? So there’s no reason to give you access to that. Should you have access to a special file in a file server for, let’s say, M&A types of things? Well, if you’re not part of the M&A team, probably not. So there’s no point in letting you have access to those things. And Access Rights Manager is designed to be able to allow you to monitor those and keep those privileges down to an absolute minimum through a very simple and easy to use type of mechanism. Right? Now I do want to highlight one other set of products that we have as well because they’re super important to this whole conversation and that is Threat Monitor. And another product that we have called Log & Event Manager. And effectively, what these guys are, are products that help you go detect threats, right? Which, if you know that at some point in time you’re going to get compromised and let’s face it, you’re going to get compromised at some point in time, right?
ALEX: It’s an inevitability.
JIM: Yeah, absolutely. So if you’re going to get compromised, you probably want to have something in place to go find some of that suspicious or malicious activity. These two products that I just mentioned are exactly designed to do that. Threat Monitor is a SaaS-based solution and it’s really designed for those organizations who don’t really necessarily want to manage it themselves. They don’t want to deal with software and they don’t want to deal with servers. And so we, we manage that service for them, but they’re still responsible of course for looking at the threats and responding to those threats and so forth. Log & Event Manager is the same kind of product, but it’s designed for folks who just want to go take it and put it in their data center. But effectively, they provide the same value. It’s there to help you detect threats, respond to those threats, and then answer any kinds of compliance-related questions that come up in the process as well.
ALEX: We’re always talking about cyber hygiene. In particular, if you’re familiar with Tim Brown, our VP of Security Architecture, he’s always preaching the importance of cyber hygiene. So what does that term mean to you?
MAV: To me this goes back to the basics, right? What are those things that are the basics? A lot of times after a major breach is announced, you’ll see on the news, oh, they just need to follow the basics. They need to improve their cyber hygiene. And that’s true, but where it falls short is, OK, what are those things? What are some examples of the basics? And you know, I mentioned backing up earlier, that’s another great example of just something that’s basic. Ensure your applications, your data is backed up, ensure that users only have access to the data that they need, right? So back to that malicious versus unintentional insider. If an insider doesn’t have access to something they don’t need, they’re less likely to be a target, less likely to be leveraged and attack. So again, ensuring that you only have access to what you need, ensuring you have good backups, ensuring you have a strong password policy. That could be anything from rotating passwords or ideally you leveraging two-factor authentication. Things that ensure that you’re really getting access to the right things and that you don’t have a situation where there’s a breach, a password that somebody uses on Facebook gets to be the same password that they’re going to then use to log in as a corporate infrastructure. Right? And so having that strong password policy, that start with a strong password practice really makes a big difference.
MAV: And of course, patching, I’m sorry, I should have started with that one. Right. Making sure you’re up to date with the latest patches. Most of the vulnerabilities aren’t actually new zero days. We’d like to talk about those. Those are definitely a risk. But when we’d want to talk with a lot of customers, they struggle with just the day-to-day patching, staying up to date with the latest releases, making sure that all of the known security holes are already covered. If you can practice good patching, good password management, and have good backups, you’re going to reduce a lot of the risk in your environment.
DENNY: It’s kinda, don’t do dumb stuff, right? Like don’t leave your computer sitting around with, you know, without the screen locked. It’s just kind of like locking your doors. Also means don’t use the same password over and over again, which is like when you do surveys, one of the most common things people do, they reuse passwords. And the reason they do that is because to live in the, certainly in any corporate environment, you’ll have often dozens and dozens of passwords. So I like, well I’ll just use this one and I’ll remember it. The problem is that if one is cracked, they’re all cracked. So that’s probably, that’s bad cyber hygiene. That is just not ever, ever washing your hands kind of hygiene. It’s disgusting. So that, you know, lots of people do it and people will think they’re super clever. I’ve had somebody go, well I have three. And I rotate them and this is the one for like the banks and stuff, and I’m like dude, you will be hacked. Your identity is going to be stolen, your money is going to be stolen.
ALEX: It’ll just happen, like, one segment of your life at a time.
DENNY: Yeah. Three everybody does that and the bad guys will go and like when Equifax or LinkedIn or one of these is hacked, they go grab all those credentials and then they basically just like machine gun, all the credentials against all the common sites, including your Salesforce site, your Facebook, your Instagram, and they just keep trying them and they’ll try them again, because they know you rotate and they’ll wait until the password they’ve got matches a password you’re using and then they’re in and then bad things happen, right? If they get inside your Gmail, they get inside of really, they get inside your personal email, they can start resetting all of your passwords, right? Like this is the sort of thing that should give you nightmares. And the most important thing to do, the hygiene is, don’t reuse your passwords. Like it’s the most common thing that people do that they really, really should not do.
JIM: I look at it pretty simply. Why do we brush our teeth every day? Why do we take a shower? Why do we put on new clothes every now and again? Maybe not every day. I don’t know. We’ll see, maybe you change your socks. I don’t know. Right? But the point is is that we do these things because it helps us stay healthy. It helps us prevent ourselves from getting sick. In the same kind of way, cybersecurity hygiene to me means what are those basic foundational kinds of things that you want to do in your environment to make sure that your organization is protected from both of those outside threats and also the inside threats as well. Right? And so when you think about how do we try to think of, of what these kinds of threats are? Well, I kind of put it the, the way to think about the, the framework into, into five stages, right? Number one, we want to identify all of the different assets that we have on our infrastructure. And, and that’s important because understanding what’s there allows us to understand what needs to be protected and how to go protect it. That’s the first stage. The second stage is protection, right? And this is everything from doing those basics, like put a firewall in place. Like who wouldn’t do that? Of course you need a firewall, but we don’t really think about that, right? Because it just happens. It’s basic security hygiene. We also need to patch our systems, right? And so that’s also a protection-type control that we use within the security world to be able to make sure that our systems are actually protected from all of those vulnerabilities that are getting detected out there. Right. And so that protection becomes really important. There’s a bunch of different products that SolarWinds makes available to be able to do that. Everything from our Network Configuration Manager, we’ve got Risk Intelligence, we’ve got the Patch Manager, and a few others as well. But then the next stage is detection, right? We want to be able to find those threats so we know what’s out there, we know how to protect it. But inevitably, as we talked about, something’s going to get through. So when something gets through, we want the ability to be able to detect those threats and respond to those threats. Right? And so things like Threat Monitor and Log & Event Manager, those become really interesting products because those are the things that are going to help you find the, the bad actors in your environment or those malicious insiders. Right? Or even the careless folks. Right? If I don’t patch my machine and I start doing silly things, I should be able to get caught because, well, I need, my IT team needs to know that I’ve done something that could potentially harm my organization. Right?
ALEX: Gaining that additional visibility.
JIM: Yeah, absolutely. And then the last two pieces I already kind of responded to one, which is recover, right? I need to be able to, well, sorry, respond first, right? I need to respond to those threats and then I need to recover. So think of things like our backup solution. Um, if you have a comprehensive backup strategy in place, if for example, then one of my systems gets owned by a piece of ransomware, I have two options. I can pay the ransom or I could actually just recover it through a backup and recovery strategy, which seems a little smarter to me than paying the ransom.
ALEX: I like the second option better for sure.
JIM: Me too. So you know, not like nothing here is extraordinary, right? All of these basic security kinds of things are exactly what that security, cyber hygiene actually means. And if you do these things, you can actually reduce the threat landscape by as much as about 80% which is just by doing the basics. We can go worry about all the sophisticated stuff too. But imagine if you can just get rid of all the, the simple threats by doing those basic things. Again, it’s kind of like brushing your teeth. You do it because it just makes sense, right?
ALEX: Some would say that we are in a new era of managing users versus devices. And so that’s because, you know, in a work day you could literally be working from your phone, then you’re hopping back on to your laptop, then you’re, you know, in a WebEx and you’re accessing all of these other different devices and you can also end up working remotely. Let’s say if you’re traveling for work. So when we’re talking about this new era, what do you think people need to practice when we’re talking about this added layer of security complexity?
MAV: Yeah, it’s definitely a trend that’s been going on for a while now. And what we have to think about is the, is the user but also the application. So the user might be using an unsecured device. But historically what we’ve seen is if you go back 20 years ago, 30 years ago, the, the data was going on secure networks. So you could usually rely on the network layer security. But as we’ve used more SaaS applications, as we start to use the public internet to run everything, this isn’t new. This isn’t last year, right? This is a trend. You start to have an unreliable infrastructure, right? You just assume that somebody can tap in to that data communications. So this is where it comes back to the application, ensuring that the application is actually secure so that the two endpoints are securely communicating and that if somebody does intercept your communication, they can’t do anything to modify it or disrupt it. And so it actually comes back to the user in the application, how they’re using those applications. Going forward what we’ll start to see is more support for applications that can reside on unsecured devices. So if you just log into a random loaner PC, you’re able to run an application on that device and the device doesn’t really matter. And that starts to become really exciting as well.
DENNY: The important thing is that you think about, and there’s a whole category, and, and our ARM product would fit into it of identity management. Like, I need to figure out who you are and what you have access to. Cause it’s not like, yes, back in the old days, your device was where everything happened. And if you went to another device, you kind of couldn’t do work. Now it doesn’t matter. Who knows? Like at the same time you’ve got your phone in one hand and you’re messing with your laptop on the other hand and it just because that’s convenient. And so what’s, what’s common is you, and so it’s important that organizations have a view of what this set of accounts, right? Cause it’s not even one account. You know, if I’m looking at Alex, what are all the accounts that represent Alex? And then understanding that behavior, because then like if suddenly Alex logs in from Russia when Alex does not live in Russia, or ever go there or we don’t have an office there, like, you should have a system in place that would give you an alert. Right? So that, that should never happen. So then maybe I suddenly lock you out because either you’ve bizarrely gone to Russia and we can deal with that, or like your account’s been compromised and somebody else is doing it. Right. So, but it’s the, it’s thinking about the identity, not thinking about the machine. Machines need to be protected but, but mostly people need to be protected.
JIM: Let’s face it, security is hard and it gets harder as technology becomes more democratized. And what I mean by that is when you think about the level of access that bad actors have today to basic technology that allows you to attack somebody, it’s there. You can go onto the internet and find it within about a minute or two. You can download it. There are services that you can buy from malicious actors who sell their services to make it easy for you to go start your own malware or to start your own piece of ransomware and things like that. And it’s kind of crazy. Right? And then when you think about the mobility aspect that we were talking about a little bit ago, that mobility component is, it just makes it that much easier for you to get attacked as an individual. So this whole notion of transitioning from device-based coverage to user-based coverage, I think that’s just going to have to become more and more prevalent within security because you have to think about the user. At the end of the day, the user really is the weakest link. And, and the reality is, as users continued not to be informed, right. You know, think about it like this. If I’m walking down a dark street in a dark neighborhood, that may not be the best of neighborhoods. Do you just kind of meander down the street with your head in your phone looking at stuff? No, you’re paying attention, you’re looking around. You might not even feel very comfortable. In a similar way, it’s important for you to be thinking about that as an individual as well. Not as an IT team, but all of us thinking about that and, and for us to be aware of the kinds of things that we’re doing in this cyber world. Because in this cyber world, it’s just too easy for us to go do some of those silly things that make it easy for an attacker to attack us and thereby attacking our organization as well.
ALEX: If you could just have people walk away with one truth, what would it be?
MAV: This goes back to a threat model. Understanding what’s important in your organization and ensuring you deploy the right resources to protect it. It’s very easy to frankly, to overspend on security, right? And you get a bunch of things that you don’t need to protect things you don’t know about because you can almost spend an unlimited amount of resources and time and people securing resources that may not actually represent the, the costs that if there was an incident. So it’s really important to understand what data do you have, what data needs to be protected, what’s the risk that if something happens to that data, it’s modified or deleted? You no longer have access to it. What’s the impact on your business? So again, understand where this data, where the users pose risks to your organization and then deploy your defenses there. So having a, a threat model, even if it’s a very simple one that you write on one page, just to say, here are the three things that we do not want to be compromised, that will make the biggest impact on how you prioritize. Again, where you put your people, your process, and your technology.
JIM: Wow. That’s a tough question because I can think of about a hundred different things which I, which I would immediately say, you’ve got to at least go do these 10. But if I had to choose one, what I would probably start with, I mean if I were managing, let’s say, a new company that had to put cybersecurity or security in general in place for the first time, the very first thing that I would probably do is I will educate and train my people. And that education and training is important as we’ve talked about. Because if, if you have a user team or your employees that are knowledgeable and they know what to look for, they’re not clicking on things in your email, which are phishing types of attacks and downloading things from email that are going to be installed on your computer. I mean, these things happen all the time and almost every company, right? Even in security companies that I’ve been a part of in the past, like these things happen to people who aren’t thinking about security every single day. So education and training, in my mind, is the very first thing is you’ve got to get your user community to understand that security is important. And you always have to keep that head on a swivel, digitally speaking, so that you know what you’re actually clicking on. Where are you going? What websites are you looking at and know if something looks suspicious that you got to go talk to your IT team and make sure that they have the ability to go check out your computer or check out your systems and just know what you’ve actually done. Right? I’m going to cheat a little bit and I’m going to say one more thing and I couldn’t help it. I couldn’t help it. And that is, you know, we talked a little bit about this whole access rights management. Now, let’s assume that despite all of the amazing training that you’re going to do for your, for your employees, that they still forget.
ALEX: Sure. We’re only human.
JIM: And they will and they will, right? What can you do beyond that? I would say things like access rights management become really critical because even if they do get compromised, as long as you keep them to the absolute minimum that they need, again, think of that least privilege type of concept. If you keep them focused on only the things they need access to, at least you’ve minimized the containment issue of, of what somebody is actually going to access if they’ve compromised that individual.
ALEX: Minimizing the damage.
JIM: Yeah, that’s right. Yeah. And, and just think about silly things like, if I were to use a password, like, I don’t know, “password” for my email. But maybe, you know, you find people all the time actually using their personal passwords as their work passwords and guess what? There’s a breach out there, I guarantee it, that probably has some of those credentials in there. And it means that even as an individual, you can go on to Facebook or these, these different social media sites, you could find information about a person, map them to where they work, and now you have a way to be able to combine what they know about you to be able to go attack you. And that is exactly what these malicious actors out there are doing in a lot of cases. This is what they do. That’s how they’re going to get your money. It’s how they’re going to get your data.
Thanks for visiting. I’m Alex Navarro and we’ll catch you on the next episode of SolarWinds TechPod, Tech Talks.
Remember, subscribe, rate, and review the podcast in iTunes, Google Play, Spotify, and SoundCloud.