Podcast Security

Assessing Risk – The Key to IT Security—SolarWinds TechPod 023

February 18, 2020

When it comes to IT security, it can feel overwhelming. What needs securing and at what level? How do you prioritize? But when considering risk, this is very different conversation. Changing the conversation from security to risk helps shape an informed and balanced approach. Tim Brown discusses how to apply a risk-based model for security success and how to balance convenience with security to avoid slowing productivity or creating obstacles. 

This episode of SolarWinds® TechPod is brought to you by SolarWinds Security Event Manager. Improve your security posture and quickly demonstrate compliance with our lightweight, ready-to-use, and affordable security information and event management solution. 

Related Links

Episode Host
Stefanie Hammond 
MSP, Principal Account Manager, SolarWinds 

Stefanie Hammond joined N-able Technologies in 2004—more than a decade before it was acquired by SolarWinds—becoming one of the first two individuals to hold the partner development specialist role for the managed services innovator. Today, as senior channel sales specialist, she supports major accounts for SolarWinds MSP. Stefanie is dedicated to making the company’s partners the world’s most successful MSPs, and she focuses on helping them sell more successfully to grow profitable businesses. An educator at heart, she is the company’s go-to trainer when it comes to ensuring partners fully optimize their use of SolarWinds MSP’s comprehensive portfolio of managed services solutions. Prior to joining SolarWinds MSP, she served as a financial services manager for BMO Financial Services Group for eight years. Stefanie earned a bachelor’s degree in business administration from Wilfrid Laurier University. 

Guest
Timothy Brown 
VP of Security, SolarWinds 

Tim Brown is currently the vice president of security for SolarWinds, overseeing internal IT security, product security, and security strategy. As a former Dell Fellow and CTO, Tim deeply understands the challenges and aspirations of the person responsible for driving digital innovation and change. Tim has over 20 years of experience developing and implementing security technology. Nationally, his trusted advisor status has taken him from meeting with members of Congress and the Senate to the Situation Room in the White House. He’s a member of the advisory board for Clemson University and holds 18 issued patents on security-related topics. 

Episode Transcript

Stefanie:
And hello again. I’m your host, Stefanie Hammond, Senior Channel Sales Specialist here at SolarWinds MSP™, and today we’re shifting the discussion we’ve been having lately from security to that of risk. As we look at the various security trends that we’re seeing materialize today across the industry, businesses, MSPs often view security as being binary, meaning they look at themselves, are we secure, are we not secure, a yes, no answer typically. But when we talk about risk, a very different type of conversation, because risk should it be looked at as being binary, but rather more along a scale, like a scale of risk.

Stefanie:
When MSPs can change the conversation from that of security over to risk is having this risk conversation that can really show your customers that you understand their environment, that you understand their market, and as this knowledge that can really help an MSP get ahead in their intelligence gathering. Businesses are always going to have higher risk and some areas of their organization and lower risks in others. That’s just natural. So it becomes incredibly important for MSPs to help mitigate their client’s overall business risk. The key to overall risk mitigation is to understand each client’s individual risk mix and build out the appropriate plan.

Stefanie:
So joining us today for this, of course, our very own talented Timothy Brown, VP of Security for SolarWinds MSP, who is here to offer us some great techniques on how to navigate this conversation shift that needs to occur so that MSPs can help businesses, help themselves become more prepared to handle any sort of risk situation they may face. So welcome, Tim.

Tim:
Thanks Stefanie. It’s great to be here.

Stefanie:
Before we really dive in, let’s define maybe some of the risks that businesses are facing today that you’re seeing.

Tim:
All businesses face some level of risk, right? It’s important to think about kind of where that risk is. They face risks from disasters, they face risks from physical locations, they face risks from financial market. They face all sorts of different business risks, and cyber is just another one of those risks. So it’s important that they think about it in that way. And then when they think about it from a cyber perspective, they really need to consider what the business is in and who their customers are, what the business is, what an adversary would want. That’s a really important component, is to put your adversary hat on when you’re thinking about risk and say, “Hey, okay, from an adversary, what would they want? What can they make money at? What could they take advantage of? What can they do?”

Tim:
So a lot of that’s based on what data is stored, what data is available, how easy that data is to be, first, stolen and then sold on the black market. So certain types of data such as PIIs such health records. The health records are very important and very easy to sell on that black market because you can use it for multiple purposes. I can use it from an identity fraud perspective, I can also use it for an insurance fraud perspective. So it has multiple uses, more valuable, more people to buy it. So essentially, it is one of those things that you need to protect more because it’s at high risk. What functions are businesses performing? Who are their clients? Are their clients important? Could they use them as a gateway to the other client? So that’s another component that you need to think about when you look at risk. Do they have IP? Do they have credit card data? Do they have other things that somebody would want to take and steal?

Tim:
They also need to think, really, what their crown jewels are and how they protect them. We’ve talked about crown jewels in the past. But it’s actually one of those things that are so critical to their business that they need to make a higher priority to protect. We always use the healthcare example of patients. We never want to have patient care or patient at risk. So how do we treat that differently, and how do we add that into our overall risk equation?

Stefanie:
Some really great questions for MSPs to ask their customers and really for businesses to consider themselves in order to help them quantify the level of risk that they might be facing. Because the way I see it, an MSP or business owner, not only is it important to get a good understanding of those attributes that help contribute to your success, but it’s equally as important to get an understanding of those areas of your business that actually might make you vulnerable. I think it’s great that you’re referencing that notion, again, of the business’ crown jewels, because yes, you have spoke about that before on previous podcasts, with those crown jewels being the most valuable pieces of that organization.

Stefanie:
So, my question, how would a company begin to understand how much risk they are potentially vulnerable to compared to all possible places an adversary might attack? And then obviously, always want to take it from the MSPs perspective as well. How can an MSP decide which of their clients they should start focusing on first to start having these types of risk conversations?

Tim:
There’s a lot of really good complex risk models out there, and the problem is that they’re really good and really complex and they take a lot of time, they take a lot of effort and, if you have enough data, you can put them into a big risk model and come up with a true risk score for the company. The problem is it is complex and it takes too much and it’s difficult. But if you can simply group your clients and group those clients into low, medium, and high risk, you end up getting enough of a perspective in order to put appropriate security controls in place for each one of them. So that’s a model that we’re trying to push forward with.

Tim:
So what makes up a low risk company? A low risk company is really a company that would be a target of opportunity. It’s just that level of a company where they don’t have a lot of data, they don’t have a lot of locations, they don’t have a lot of people, and they don’t necessarily have something that people would actively target you for. But at the same time, the bad guys are out there scanning, they’re scanning all the time. They’re looking for everything. They’re looking for open opportunities. You throw a web server out there on the internet, open, that has a vulnerable system, it lasts minutes. It really does. That’s what people have to realize that just because you don’t think you have something that somebody would want, that you’re not a target. You’re simply at target of opportunity.

Tim:
So at the low risk side, you have companies that have no reason to be a target. They have limited data, they have a limited number of partners, they have a limited footprint, they have all financial systems or processes externally, they’re just running a general purpose business that nobody would even think of as a target. So that needs to be protected still because of those drive-bys, but it’s low risk. Then when you think about medium risk, once you pop over from low risk to immediate risk, they have some attractive data. They’ve got some data that could be interesting to somebody. They have attractive partners possibly, somebody that they would think of, “Okay, well, maybe my customer is a financial institution, maybe my partner is a big manufacturer, maybe my partner is an oil company.” Yes, I know the other podcast about oil companies and pipes.

Tim:
But they fit that medium risk profile because of their partners and the access that they provide. Our famous one is Target. The Target breach happened because the HVAC vendor, small or medium company, had access to their internal systems. So they would fit my medium risk category, not because of what they did, they were an HVAC provider, but because of the access to their partners provided to them. So they would fit medium risk. So when you look at high risk, who’s under high risk? High risk is a pretty high bar to look at. High risk says that you may be a target of a nation state. So a nation state would be going after you to get access to sometimes critical infrastructure, sometimes data that you have. So this could be a municipality. This could be a small electric company, a small power company. Power and energy companies are very much a target today of nation states.

Tim:
So when you look at that type of thing, the attack may be quiet from a nation state. They’re not looking to do damage, but they’re looking to gain control. But you’re still at high risk because of those things that you have. Regulated industries often fit into a higher risk category. So they have financial data, they have healthcare data, they have PII, they have sensitive IP. There’s something that is within their walls or within their purview that I could easily sell on the outside market. That data, that crown jewel becomes much more important and much more of a target, so they become a target.

Tim:
More access to sensitive data or sensitive systems in a volume. That volume of information is also attractive. If you have five clients, well, I’m not really interested in five. Oh, you have access to Equifax? You have access to how many millions of… I guess almost the entire U.S. population.

Stefanie:
And Canada.

Tim:
And Canada. Thank you. And Canada. Because of the volume of data, that is your crown jewel, that is your target. That’s what people are after, and after appropriately. So you need to protect that at a… consider that company at a high risk.

Stefanie:
All right. So a wonderful framework for an MSP to follow to help them really establish a baseline level of risk for their clients or their prospects that they might be coming across. I can see that by following the outline that you just reviewed, it is going to go a long way in helping MSPs decide who within their client base, who within their prospect base they’re going to want to speak to first and have these risk conversations. We’re just going to take a moment for a quick break and then we’re going to come back and we’re going to focus on other areas of an organization than an MSP should review that could also be prone to inviting risk in.

Stefanie:
Welcome back. Again, my name is Stefanie Hammond, I’m joined here with our VP of Security, Timothy Brown. Our previous segment, we were talking about a framework for MSPs to help identify and create and establish a baseline level of risk for each of their customers because we’re talking about changing up the conversation we’ve been having and our MSPs I’ve been having with their customers lately, moving beyond having the security conversation and transitioning it over to having a risk conversation. We’re talking about how partners and how our MSPs can have those conversations with their customers to help them understand, what is their acceptable level of risk? So what I want to do, Tim, is kind of move into our next section. You mentioned that there’s several other areas beyond the business risk inherent to just the vertical that they’re in and the type of company there are that could also be prone to inviting in risks that MSP should consider.

Tim:
Yeah, absolutely. So when an MSP is looking at risk, they should use the opportunity to talk about risk with their clients. They should really have a model where they’re saying, “You’re at this level of risk. Why do I consider you low, medium, or high risk?” One of the categories is the company type. We talked about the company and where a company would fit in the low-, medium-, or high-risk category. So then how do you adjust risk? What are your modifiers to risk? How do you modify that risk that the company takes? It’s important that the MSP consider that their clients should not be 100% risk free, that they may face some level of acceptable risk, which is fine.

Tim:
Back again to our security versus risk conversation, it’s not binary. You’re never 100% secure, you’re never 100% without risk. So when you look at a low risk company, the amount of security components and the amount of activity that you need to do on that company is a lot less than you would need to do on a medium or high risk company. So when we look at modifiers to risk, I look at modifiers from a number of different perspectives: people that are in the organization, the processes that are in place, and the technology that’s in place.

Stefanie:
So, let’s start by looking at the people aspect.

Tim:
Right. So people, so what about people? Why are people a modifier to risk? Because people are often one of our biggest risk targets. If you look at how people act within the company, if a person can… If you have all of your administrators that have access to everything in the world, so I’ve kind of configured my environment, I’ve got one person, they have access to everything, they have no multi-factor authentication, their is “Password1.” We face a lot of risk with people. Right? So, the programs that you have around people absolutely adjust the risk that the company faces. If you have a good program in place that says, guess what, yep, I have administrators, I watch what they do, they have to use multi-factor auth when they come into my administrative environments or into my major systems. They are strongly managed, they have limited access, they only have the access that they need to do their job and no extra access. Those types of things really are mitigating risks based on identity.

Tim:
Other places that you can look at people is, do you have training processes in place? Do you have a good way to train people? Do you have a good way that your users are trained well? If the answer is no, then you bump up the risk. If the answer is “Yes, I have good security training for my clients or for my customers and their users,” then my risk becomes lower. Are there assigned roles? Is there a good model of understanding who should have access to what? And is that implemented well? Do people share login information, are they shared across the board? Again, that would take up your level of risk. If the answer is no and they have a very good control over administrative access, then it takes down.

Tim:
Is it monitored? Do you monitor the access, do you monitor the controls, and do you have monitoring of people in place? And people located in high-risk areas. Depending on what that means, from a high-risk area, it could be that people are in both places where they may be more compromised, they may work from home or they may work from uncontrolled environments, they may work from-

Stefanie:
Starbucks.

Tim:
… Starbucks, but they may work from their own machines that aren’t controlled. So, it’s absolutely… People are one of those critical aspects that can either make your risk higher or make your risk lower.

Stefanie:
I like that we’re starting here, focusing on the risk that is inherent to an organization just by the virtue of having employees. As it stands today, a lot of organizations, daily business processes, the functions that they’re doing do still require a large amount of human involvement. Maybe in the future we’ll have robots and things will be automated, but for now there is still that human element that we need to consider.

Tim:
Yeah, absolutely. If we could get rid of all the people, our security would be much better.

Stefanie:
Of course.

Tim:
But I don’t think we’ll do that right away.

Stefanie:
No, please don’t. I kind of like my job.

Tim:
So, what’s next? So after we go beyond people, we start looking at process. Processes shows a level of maturity with an organization and shows that you’re thinking about appropriate ways to manage things. A documented process really shows that… With a level of maturity, you end up reducing risk. So, what do I mean by that? So, do you have appropriate organizational policies? Does that mean who has access to what within an organization? Do you have appropriate business roles to find? How do you manage assets? Do you know what machines you have in place? Do you know what those machines care for? Do you know what machines face higher risks than others? That’s part of your process, understanding all of those components there. Do you have personnel security? Do you have physical security on who can come in or who can go out and you’re monitoring that? Simple things like that go a long way.

Tim:
Physical and environmental security, access control policies that say that you should only get access to what you need, and that there’s documented reasons for people that have additional access. Important. Incident management; what do you do when something happens? If you have a program in place to be able to manage an incident as it occurs, then your level of risk goes down because you’re catching it early, you’re not starting from scratch, you’re not trying to build a process while you’re doing a runtime. So, if you have good processes in place, again, your risk lowers. If you have no processes in place, your risk is higher. So, Think of it that way. All about business continuity processes, disaster recovery, data protection policies, all come into the processes that you have. Good processes make good security, which make good… much lower risk. Lack of process makes higher risk.

Stefanie:
Right. And then I’m assuming because you touched on data protection, disaster recovery, and some of the other items there, technology, probably plays-

Tim:
Absolutely.

Stefanie:
… a big role in there as a modifier of risk of the client or of the business.

Tim:
People, process, and technology. So, what technology do you have in place? Do you have technology in place that can mitigate some of the risks of the organization? That’s the other piece that is a true modifier. So things like, do you have firewalls in place? Do you have other things in place? Do you have good cyberhygiene in place? All of those sayings are effectively adjusting the level of risk that is playing. So, when you think about from an MSP perspective, think about from a client’s perspective, being able to present them a nice little chart that says, “Picturing this business, here’s the risk that you face. Since you have your people managed well, that’s a reduction in risk. Since you have your processes managed well, that’s a reduction of risks. Since you have the technology in place to manage you well, secure you well, that’s another reduction. So therefore, you fit at a very good and appropriate risk level.” Right?

Stefanie:
Right. Going back to, you mentioned it again, cyberhygiene, having good cyberhygiene, our favorite phrase on our podcasts, a phrase that I’m sure a lot of our listeners are familiar with, but for those that may not, because they haven’t listened to any of the previous podcasts, can you explain again what you mean by having good cyberhygiene?

Tim:
Yep, absolutely. So, Good cyberhygiene should be considered a baseline, should be considered the base set of things that you need to do just to be not a victim of circumstance. To get those things in place, that means somebody that’s just passing by you in the night is not going to take advantage of you. What do those consist of? They consist of good endpoint protection. Antivirus on the endpoints. It’s very important to have a base-level protection on your endpoints. It does not need to be the most sophisticated protection, but at least a base level of protection.

Stefanie:
It has to be there.

Tim:
Appropriate segmentation and the environment so that if a user, single user, gets compromised, it doesn’t go beyond that single user. So, having a sense of what your segmentation from identities and users are as well as systems. In this environment, being regularly scanned for vulnerabilities and having a patch program in place that really works, and it’s truly a program, not easy to do, but an extremely important part of mitigating risk. Having patches where they are appropriately, make sure those patches are updated regularly. Strong backup. Always have a backup program in place. So important to have backup, because you never know what might happen. Whether that could be a system failure, happens, whether it be a cyberattack, happens, whether it be a ransomware attack, happens. Backup is just a fantastic safety net for all of those things.

Tim:
Email and spam. If you look at the number one entry point into an organization, people are always talking zero days and all of these other things. A good phishing attack is still one of the most effective ways to be able to infiltrate an environment.

Stefanie:
The wrong click of a mouse.

Tim:
The wrong click of a mouse. The phishing attempts are not specifically targeted at people. One of the things that we’ve been seeing with the rise in Office 365 and the Live services is a big increase and very well craft phishing messages that say, click here to see your Live account. People will put their credentials in, and the screen looks exactly what you would see if you did have a file on a Live Drive. People put their credentials in, they get access to Live Drive, but their credentials have been sniffed and grabbed. And then people will log into your email service, log into your other service, your O365 service and do harm, right? They’ll use you as a part of the base campaign and then send out a message to all of your contacts.

Tim:
So, it’s important to think about that as a safeguard to have in place, is how do effectively managed phishing and spam? Are identities managed appropriately? Make sure you’re managing identities, make sure you’re trying to limit the access people have. Put safeguards in place, because you really don’t want to have access to anything more. In today’s world, I have access to nothing. Because I don’t want to be the one that took down servers. I don’t want to have administrative control over machines. There’s a lot of personal liability in having those accesses. Because it may not be you, but your system was compromised and then your credential was utilized to do that. So it’s important to do that.

Tim:
Segment the network, threat monitoring in place. Make sure you’re monitoring appropriately. Doing appropriate levels of inspection and monitoring the environment and then make sure, one of the simple ones, your configurations are audited, the default passwords are changed. Many places you’ll still see “AdminAdmin” everywhere as username and password. So, it’s just simple basic things that really go through a model making you much more protected than you were, not a victim of a drive-by, and it’s a great starting point that everybody should be at.

Stefanie:
Right. So, although technology obviously can play a significant role in reducing security risk, implementing good cyberhygiene, a lot of that is all based on having the right suite of technology solutions in place. You’ve also done a good job that people and the processes and the inherent business risks are other variables that when you combine them all together, it can really leave an organization vulnerable to attacks and really can work to help increase their overall risk and exposure, is what you’re saying.

Tim:
Yeah, that’s exactly right. At the base level of risk starts with the evaluation of the company and then modifiers are applied to decide whether that risk goes up or down. So you can have a company in a very low risk environment where they’re actually facing very high risk because they don’t meet any of the good cyberhygiene requirements. Or you can have a company that is at high risk because of their categorization of the company, what data they have, what access they have, and they could actually face a very low or moderate level of risk because basically they’ve got the right people, the right process, the right technology in place. So, think of it that way.

Stefanie:
All right. So I want to circle back to the beginning. Now that we reviewed the different components of risk, how can an organization, and I guess more specifically an MSP for that matter, measure their own risk exposure? Is there a model that you can take us through?

Tim:
The MSP, we didn’t really talk about that as much as what we should. The MSP is absolutely one of my high risk companies. Because the MSP has access to their clients, they have access to all of their clients, they have access to that client’s data. So, an MSP is absolutely at high risk and they need to consider themselves at high risk and they need to take appropriate controls to make sure that they’re there. So when you look at measuring risk, we’ve got a basic model. The basic model is to classify the business, low, medium, and high. So where do they fit in that risk profile? Again, MSP themselves should be considering themselves at high risk. Then they rate the level of maturity on people, process and technology. If they have the right controls and the right models in place on how they manage people, how they train people, how they give access to people, if they have good processes in place, that takes them up or down on the level, and if they have good technology in place, that takes them up or down on a level.

Tim:
So in many ways, a low risk company has the modifiers that make it less risky. So if you take a scale, from one to five, you can start with a low risk company having a range of two to three, a medium risk company, having a range from three to four, or a high risk company having a four to five and then you adjust it, you basically add modifiers for people, process and technology, and that risk either goes up or down. That’s where you can present to the clients, and that’s what you can think of for yourself.

Stefanie:
Okay. So now that you’ve explained that, can you maybe walk us through a specific example to demonstrate how this model of risk measurement would work? As an example, a low risk company that does have good cyberhygiene.

Tim:
Yeah, absolutely. So if you look at a low risk company, let’s say a car wash. An MSP is managing a car wash, they have no real data. They outsource all their financial information and they have the choice of a PCI. But they do have back-end systems that help them order the right products. They have backup systems that keep their frequent clients or something on that idea. A very low risk. They would never be a target for a targeted attack. They wouldn’t be a target on somebody’s radar, but they have things that mean that they need to have just good cyberhygiene in place.

Tim:
So when you look at that, the car wash has low risk to start with. Now, you look at the program in place, and they happen to have a little firewall that has “AdminAdmin” as a password. Guess what? They now have faced high risk as a low risk company. That’s where you need to think about it, that the modifiers are absolutely in place to either make a low risk or high risk, because they didn’t have the good cyberhygiene for technology in place or processes in place or technology in place. If you take the other side of the spectrum, we’ll take a medical company, a small hospital, a regional hospital, very, very important data, very important data that they have that people want. So in that model, you take a look at what they have in place for when people process technology.

Tim:
So they are at high risk. But now you look at it and they say, “Okay, yep, I manage my identities well, I manage the access that those people have. I make sure only certain people have access to medical records, they can’t download them. I have firewalls in place, I have technology in place, I have identity management in place, I’m monitoring all of my activities, 7X24, I have great technology in place-“

Stefanie:
So they have excellent cyberhygiene.

Tim:
Excellent cyberhygiene, great technology in place, even above boards technology in place, and their processes, well-documented. So when you look at that high risk company, they’ve just shot down to a low risk because of the people, process and technology that they’ve put into place.

Stefanie:
Right. Excellent. Well, thank you again, Tim, for spending this time with us today, providing our listeners with valuable advice around as an MSP, how to actually start shifting that conversation from the security over to the risk. I think you did a great job highlighting the importance that MSPs need to move beyond just speaking about security and start speaking to them about what their own risk exposure is, helping them to define and to determine what their own acceptable level of risk is. Because if we can do that, and if our MSPs can do that well, that’s where the new sales opportunities lie for them.

Tim:
Yeah, absolutely. Absolutely. Sales objections often occur there in saying, “Okay, well, why do I need more security? What are the things that I need to do? I don’t understand.” So if you can put it into a risk context, they understand risk. Most customers understand risk. They understand what risks they would face if their point of sales terminals went down for a week or two days. They understand that that level of risk exists. So put the context into risk as opposed to security, and it’s going to be much more effective to sell to your clients and much more effective to reduce their overall risks.

Stefanie:
Exactly. So new revenue streams, and I see this as a different way, a new way to help differentiate themselves from their competitors in their marketplace. If you can have those conversations and have them well.

Tim:
Yep, absolutely. You just become a great partner.

Stefanie:
Again, my name is Stefanie Hammond, and thank you for tuning in and listening today, and we will see you soon on the next edition of TechPod.

Tim:
Thanks, Stefanie.