from the ceso series it's cyber security headlines crowd strike update goes wrong Friday morning is cancelled the personal security implications of the AT&T breach and cdk Global reportedly pays $25 million Ransom following a Cyber attack these are some of the stories that my colleagues and I have selected from this past week's cyber security headlines just like you would pick out a microphone from your audio settings we've selected the perfect headlines and now we are ready for some insight opinion and expertise from our guest Adam Ariano the former VP of Enterprise cyber security at PayPal Adam thank you so much for making the time and being here really appreciate it you happy to be here on this uh very calm nothing to talk about day yeah everybody's just having a chill day uh it seems very relaxed and uh there's there's no dumpster Fires at all uh don't worry about it hope all of your screens no longer are blue our sponsor for today is conveyor uh Market leading AI for trust Center and security questionnaire automation remember to join us on YouTube live do so go to cesos series.com hit the events drop down and look for the cybercity headlines week in review image you can click on it to join us and then you can subscribe to our YouTube channel and then you can join us you can join CCL you can join some of our regulars that are in our chat giving us their thoughts their opinions uh and getting uh feedback uh from me and our amazing guests uh Adam yourself included so before uh let's give them some fodder for some comments and let's Jump Right In first up here the big story of the day we allude to it already crowd strike update goes wrong and Friday morning well uh let's just forget about it a worldwide blue screen of death greeted Windows users and their cesos this morning flights were canceled or delayed Banks could not complete transactions and even some 911 services became non operational for a Time George CTS CEO of crowd strike stated that the problems were caused by a defect in a Content update for its Falcon EDR Solution on Microsoft Windows devices he added the issue has been identified isolated and a fix has been deployed uh clearly this is every seo's worst nightmare here Adam but instead of being a Cyber attack this appears to have been bad luck on an overnight update uh something we've definitely seen before just with much wider scale here I'm curious what went through your mind as you learned about this event unfolding today I think the first thought that crossed my mind and I was awake at about 2:00 this morning randomly and saw messages from friends in other time zones and the first thing that I thought especially as it was connected to crowd strike was oh that has access to the colel this is serious and I did not in any point think uh that it actually was a widespread Cyber attack but it is a cyber incident and it's important to call it that as it is and not an attack because there's a lot of uh cool sounding security companies that when attached to uh some kind of incident like this sound like an attack so crowd strike does sound like a cool like you know Russian attack name but in fact it was just an incident yeah it's not Cobalt strike or or anything like that you know Affinity uh be darned here I guess obviously there's gonna be a lot of thing crowd strike uh uh maybe owes a lot of process explanation uh once this is all remed you know once we're on the other side of this and everyone's out of crisis mode for this I'm curious like from a from a com from a crow stke customer perspective is there is this a case of we were all making a a a erous assumption about reliability of software updates is this a a failure of of testing an update that's being deployed or is this purely like a supply side issue on this in this regard from what we know so far yeah and and I'll I'll stay away from kind of speculating on causality here I don't think that anybody has a really good understanding outside of maybe you know the crowd strike Engineers themselves of exactly how this all went down but from a customer perspective what you've got is a very capable well-known and successful tool that that crowd strike is who um on everybody's endpoints protects those endpoints from malicious activity and does so by receiving updates and receiving information from basically the mothership and that's something that we want this is a bug not this is a feature not a bug that those updates come across now the fact that an update that came across caused this is uh unfortunate but ultimately it's inevitable if you give anything access to your Colonel or anything that has that kind of power over over your systems the ability to auto update you're not going to be able to test beforehand and I actually don't think you want to test the opposite of this is what would happen if there was a massive zero day attack the ability for crowd strike to update it software was hidden behind your own change control processes and you weren't able to apply that update in time and you got owned because of that because of that uh zero day then you're in the exact same spot that we are today and so in reality I I don't see a lot of things in this process that need to change I've seen a lot of chatter back and forth a lot of people that have said you know thank goodness I either you know was about to install and didn't or now you know we're going to rethink our strategy around what company we use for mpoint detection and response and I think that those are are pretty um out's the right word for it is is uh misguided ideas in reality um whenever you have a big incident like this is my favorite time to watch people and companies how they react because you kind of get an idea of how they're going to react in in any kind of emergency and I think that deciding that you're going to remove or change tools over something like this is is extremely nearsighted in reality what you want to do is watch how crowd strike responds so so far and we're what 14 15 hours into this crowd strike's response has been extremely transparent and fast um even the CEO coming out on news outlets and making sure that everybody kind of understands what's going going on is very impressive there was no attempt to hide anything and over the coming weeks as crowdstrike responds and and gives us more information it's going to be very telling about the processes and the caliber of the people at the company and if they perform this well I would trust them over a vendor that has never had an incident like this because they responded to it properly yeah obviously a big black eye for crowd strike but I completely agree the fact that we weren't groping in the dark to know what is happening that we're hearing directly from the CEO um and and kind of really getting ahead of it speaks to you know where I if you want to call it incident response you want to call it just PR coms whatever it may be um it definitely uh a stand out there CCL in our chat has definitely been feeling this he says we are on N1 for the agent itself uh maybe uh maybe they needs similar versioning features for their content uh and um we will uh yeah uh CCL I I think um I I you know Adam I really appreciate your point of you know not being one spit quite shy when it comes to EDR but CCL I think a good point from the crowdstrike side as well all right we got to move on obviously that's the big story but some more uh listen we we've got other stuff that was the fault of malicious actors it turns out uh next up here the personal security implications of the AT&T breach last week on this show we covered the breaking news of the AT&T breach which appeared to impact every AT&T customer at least a vast majority of them what was stolen was records of phone numbers that were called or texted to uh called or texted to by customers between May 1st 2022 and October 31st of that same year but no content of calls or text or the time or date but Rachel Toc a social engineering expert and founder of the cyber security firm social proof security says this data still makes it easier for cyber criminals to impersonate people you trust make it easier for them to craft more believable social engineering or fishing attacks against AT&T customers so Adam I guess in deference to you know Troy hunts have I been pwned maybe we can call this have I been phoned uh I'm I'm okay with that I'm % as a guest on the show I won't grown too loud but yes I agree thank you thank you I appreciate your politeness there uh but you know there is definitely a a lot of passive a passive data here that tobec says allows for spoofing and social engineering I'm curious what are your thoughts about how vulnerable the public uh might or might not be following this kind of breach where I guess it's like it's relatively shallow in terms of like no pii but extraordinarily uh wide vast I don't know it's the lake are of breaches yeah and I I would caution the the hand ringing here again and I feel like I'm coming off as a uh somebody who's trying to pacify the masses here but in reality on top of everything that everybody posts on Facebook of a certain generation everything that everybody posts on Tik Tok of a certain generation and you add this on top of it it's not something that changes the the actual elevation or depth of the personal identifiable information out there a few years back when the office of personel management OPM was hacked every every secret security clearance holding individual in the United States had massive amounts of very very personal data that included relationships addresses phone numbers uh was was hacked and leaked uh repeatedly by by Bad actors and at the time the analysis was this was going to represent a huge um counter Intel threat to intelligence services in the United States because you know you have all this information about of our people with with uh with security clearances and the reality of this is is that that didn't actually materialize don't think that there was much if any use of that data to try and compromise uh those who are holding security clearances there were much bigger compromises of people um who were insensitive locations by you know leaders of free countries than there were from that hack um and so for AT&T to lose this data is definitely not a great thing it does add to the diaspora or the you know the level of information that's out there that can be correlated and in an age when you can write some pretty smart scripts to correlate these things it's possible but there's enough out there already and enough people who don't need really fancy fishing attacks to be susceptible this doesn't add too much to the fire in my opinion I I would so that's interesting you bring that up uh and especially uh in relation to the uh you know the office of personel management hack from a few years ago so do you think this would be this data being out there is that more beneficial to uh you know low-level fishing or to that more high level highly targeted uh you know kind of nation state threat actor who probably already has like a deep well of data to go to yeah I would think it'd be more valuable for um those who are going to be doing some really sophisticated attacks and that that is a danger and and even the OPM hack is is a danger in that way in that someone who is going to be targeted by a nation state or someone with a lot of time and desire that information can help and and to be real honest it's likely that some of that has been used to fish in the past and so my my caution here is that a motivated attacker with time and resources is going to get you no matter what kind of information is out there publicly or not it really just depends are you a Target and if you are a Target you should exact you should very much be careful about what you do and educate yourself around how to block that all right next up here cdk Global reportedly pays $25 million Ransom following a Cyber attack all right Adam here's another chance for you to be to to be alarmist you haven't lost your opportunity yet continuing with one of the big stories of this season in cyber security cdk Global the maker of specialized software for car dealerships is reported to have paid a $25 million Ransom in Bitcoin to the group that runs black suit ransomware the consulting firm Anderson economic group suggests that the total Financial damage to dealerships in the first two weeks of the shutdown is just over $600 million uh for for math fans out there 24 times The Ransom amount So Adam while governments and security agencies repeat the Mantra you know don't pay the ransom it only uh enforces that behavior in this particular example the analysis from Anderson shows a clear incentive for this individually not thinking of the overall security ecosystem but for this organization specifically to pay up as essentially a cost of doing business possibly a cheaper one than an allout recovery with that business pressure in mind I'm curious what's your take on this yeah this is a fascinating one um I I recently used the example of of polar bears and parasites uh the reason why you don't call a polar bear parasite it's because it's a bit too effective um extracting calories from its victims whereas parasites are are good at taking just enough that it feeds the parasite but doesn't kill the host and in this case I think this attack group The the group that that performed this attack did a good job of finding the right price for what they were willing to pay but not going overboard and so what what's happening in these situations and and this isn't um a you know kidnap the whole idea of not negotiating with terrorists or the whole idea of not paying ransoms hearkens back to the time when kidnapping was was much more common and hijacking of airplanes was more common and and while that is an effective strategy when the bar for kidnapping an entire person or being able to hijack an airplane is extremely high uncommon and very dramatic these attacks are are not the same level of effort and don't have the same level of um kind of accessibility to anybody and so I don't think that it's very practical to not negotiate and to not pay and honestly there there is an economy and there's economists who have studied it there is an economy in ransomware and ransomware actors are figuring out how high they can go with their requests if they're not reliable if they're not trustworthy then they're much less likely to be paid and so there actually is like a unspoken code of conduct basically between ransomware gangs and their Vic and in this case I think it was a smart thing to do um they you know may have lost a moral Victory but a moral Victory doesn't uh carry too much weight compared to the amount of money that that was lost yeah and and yeah I like and this whole situation has made me thinking about all those car dealerships just like you know thousands of org other organizations that are depending on you breathing down your like the business pressure on there had to have been just so intense let alone the then the money that you are you know the revenue that you're losing every single day that that's occurring um so I I appreciate that perspective and as CCL points out polars versus parasites is going in the old analogy notebook that is tremendous I will think of everything in terms of calories from now on uh before we move on to our uh second half of the show we have to spend a few moments and thank our sponsor for today conveyor why do teams choose conveyor over the competition to automate answering security questionnaires a few reasons One Market leading AI accuracy two they don't have to maintain a crazy knowledge base anymore because conveyor AI can read from any Source like external support sites documents past questionnaires and more three it can process any customer file format even PDFs it will leave an autoscroll and autocomplete portal-based questionnaires don't believe it try it for yourself for free at conveyor tocom that's C NV y r.com all right next up here ap41 infiltrates global Shipping and Tech sectors researchers at mandiant are warning of an uptick in malware attacks launched by the Chinese nation state threat actor ap41 against organizations in shipping Logistics technology and Automotive sectors in Europe and Asia Mandan adds that in many cases ap41 has been present in these organizations since at least 2023 check your calendars that's not the current year Adam this activity of nation state actors infil infiltrating infrastructure occupying it rather than holding it for ransom you know just just very content to just dwell there for a while continues to reappear in the news and in the eyes of some experts represents a long game for adversaries find great advantage in embedding themselves rather than doing the old Smash and grab I'm curious what can the hardworking ceso do to prevent their organizations from becoming an unwitting part of this type of secretive occupation from these extraordinarily Advanced actors yeah especially when we're talking about um the uh you know physical infrastructure it I think the most effective thing that I've seen is is uh buying a DeLorean souping it up just right and then getting it about 88 miles an hour so that you can go back in time remind everyone that they should build in security to the infrastructure of the United States that we don't get here um short of that the entire you know Internet of Things the entire infrastructure it world needs to be revamped it just has to be um at this point you know I actually heard this brief um from Mandan Direct not too long ago at a at a um teammate event and they were just talking about this you know crazy you know Red Cloud of of threats out there and and what's scary about this is is that it's not just the smash and grab that's happening anymore and it's a little bit weird that they're entering into these systems and then just kind of staring at you which is likely you know much scarier in so many different ways and waiting for the day that they're going to do something about it now what the cesos of these um of these Telco well not Telos but you know utility companies um infrastructure companies what I what I really wish they were doing was um abandoning incremental Improvement I wish that they would stop just trying to improve things slowly and go for a whole hog you know get things different done now um it's not sufficient to just improve things slowly when the adversaries against that are working against you are are doing so at a at a rapid Pace um but I have a lot of opinions on the leadership value of uh of not just sticking your head in the sand or you know showing green on a slide that says you know hey we're improving we're 5% better yeah yeah yeah unless you send those to the to the attackers and let them know hey guys we're improving just you know don't bother don't bother we're slightly better now our our uh our patching SLA has gone from 400 Days to 350 so don't attack us you'll never win um that that's really what I wish I would see out of that um and I may eat my words one day if I ever work for one of those uh you know more Legacy companies but we'll see yes the the standing caveat of it's easy to uh sit on a podcast and say rip up everything and start over like I yes I I I wish there was the collective will and the resources quite honestly for these companies to do that um and uh yeah it it it does seem like when you are dealing with you know thread actors that are that are this is their game plan right and and this doesn't even the other aspect of that I find really interesting is we're been covering over this whole year of that a lot of companies are preparing for postquantum encryption and stuff like that all of these dwell time attacks where oh they it doesn't seem like they broke anything so they took up some information all of a sudden that information that they might have exfiltrated becomes extraordinarily more valuable if encryption becomes a you know a trivial thing uh in the future too so that's that's something I always keep mind with these Tex as well yeah for sure in the I've been having a lot of conversations about postquantum encryption this week of my own doing and and really um it's not a you know it sorry to divert to to diverge just a little bit um this whole idea of being able to prevent all these attacks or all these problems like the crowd strike issue um you know if you if you think that you're going to have a vendor who's not going to take you down at some point or cause some kind of issue in your in your environment you're you're just wrong it's just not going to happen um you need to be not perfect you need to be anti-f fragile it's a a teammate um you know cloak or coined phrase that that they have been taking on a road show and one of the things they talk about is to leverage your near misses so this is a near miss when you have an attacker that's in there and hasn't actually caused any damage it's a near Miss what are you going to do with that information are you going to pretend like it wasn't there or you g to act like it really was something bad and then do something about it and I would even say that the attacks that we've talked about so far for many different Industries are near misses because the worst didn't happen bad things happen for sure but the wor didn't happen and if you're not using that to your advantage and letting a good uh a good disaster go to waste then what are you doing in the industry like you have to use these things to teach your Executives teach your um you know your line people teach your sock what should be done in these cases because every ounce of sweat in training is a is a drop of blood that you save in in war yeah don't don't fire your vendor overnight make your organization anti-f fragile I think is uh that's some that's some really solid advice uh we will get out of here on this story uh here uh key Saka analyst skills versus Oscar the Eater of bugs a little bit of a long read here but I think it's worth it here a survey conducted by the Sans Institute identified the skills that are key to success for analysts working in Enterprise Security operation centers you know them as socks these include a knowledge of cloud security issues Powershell expertise and the ability to automate repetitive tasks and system management functions interestingly the respondent showed that many socks continue to struggle with lack of Automation and orchestration of key functions High Staffing requirements a shortage of skilled staffs and a a lack of visibility I think those are all pain points we've touched on on the ceso series podcast at some point or another they also reported a pervasive Silo mentality among security incident response and operations teams then in the same week we see Google introducing an AI agent called project osar who looks for software bugs with the software within the software development cycle so it's not writing codes but it's kind of sitting there in the meantime being like you sure you want to expose that API that kind of stuff so Adam a lot to unpack here in terms of you know Comfort or discomfort that industry professionals feel about their culture how that impacts operations and the changes that are being posed by Technologies like generative AI I'm curious you know kind of two interesting pieces of news here what's your take on this yeah so uh the the the first part let's let's let's address the sock um most sock socks that struggle struggle because because of a leadership failure the failure of those leaders to actually feed and care for their sock analysts properly they you know maso's hierarchy of needs is very important in these situations and as a card carrying social worker um understanding that that any sock analyst whose only uh time you know all their time during the day is spent just over and over again going through the same process of evaluating triaging and fixing if they don't have time to just sit and stare at a wall for a minute then they're never going to develop they're never going to become actually happy and curious and and do important things to change the the flow of of what's happening and so things like Oscar coming online which I again saw at RSA and I think is is an amazing piece of technology that's going to make a difference but it's not going to make a difference because it's going to catch more things it's going to automate tasks and hopefully what companies should be doing is using that as an augmentation to their staff to give their staff more time to think about why do I keep on getting this alert why is it that I keep on having this thing pop up over and over again instead of just being in a constant fight ORF flight mode uh one of the things that I uh have written about most more more recently is the fact that cybercity leaders uh especially at larger organizations don't spend enough time thinking about leadership as opposed to technology what is it that you're doing for your people what is it that you're um you know how are you preparing them for their next role how are you making sure that they're being taken care of and guarding their time and at the same time giving them the opportunity to be creative those kind of things aren't taught enough in different courses for cyber security and I don't think that they're paid attention to enough so um you know good on Google for bringing something public that they've been using already um and I feel like I feel like operations teams sock teams and security teams that don't talk to each other and and have fine Synergy there and make sure that there's you know mesh in mment I would say to those cesos get better you know read a book about leadership talk to llo Bach you know pick up an Adam Grant book and really figure out like what is it I need to be doing for these people at a human level because it's not just about how technical are you it's about how good can you you know how well can you lead yeah and I I a lot of the conversations that we have on C Series podcast defense in depth you know are trying to I think really emphasize that that's one of the things I've been enjoying uh you know uh uh being with the ceso series is kind of being led into those leadership conversations of saying yeah like being a ceso is not just about knowing the nuts and bols that's a that can be supremely important especially in particular organizations but the ability to like to like on a very high level like get buy into your security program but then going down to that sock management layer yeah like giving people the tools that okay these these enrichment tasks that are are just glor you know could be seen as glorified data entry let's let's see what we can do with Oscar or whatever other vendor we have out there uh and give you time to to actually be creative in something that ostensibly you're you're passionate about the reason you got into this right is to to you know you're a problem solver right that's what draws people into cyber security let's give them problems to solve yeah and the flip side of that is is if you're a security leader and and I I promis to uh some people that I used to work for I'm not talking about you in particular um you know if you're a security leader and you're standing in the sock during an incident and your hands are on a keyboard when you're surrounded by you know 152 people who are trained and in you know the in the weeds every single day you've already lost the battle because your head is not up and looking around you're looking down into the logs when you've got people that know how to do that better than you but it's a pride thing you know especially cesos who started out as Engineers have this this place of Pride where they want to think that they're still technical too many times with that means is that you're micromanaging and you're getting in the way of actual progress uh one of my favorite stories that um Jason Lee from Jason Lee and can I hope I can mention people's names directly here Jason Lee Kelly McCracken and I were on uh at Salesforce at the same time and they were running like the the incident response area and Kelly was amazing because uh when Jason would come on as the VP and Kelly was there with you know The Incident Commander and Jason would start to ask questions she would stop the entire meeting and say Jason would you like to be the instant Commander or you gonna let this person whose job it is do their job and Sirius is a hard attack Jason was like oh okay I will step back because Kelly really did a great job of making sure that roles and responsibilities were were well understood and she had a happy group because they were trusted and they were empowered and they were trained really really well it turns out uh leadership is important uh as yeah it's I just thought yeah it's all automated right we can just ask a to do it for us yeah well thank you so much Adam this has been i i as everyone can tell I could keep going on about uh these kind of stories all day uh I have to we we're just about out of Tim but I did want to give a shout out to Tom Cat who I think is new into our chat here uh relating to the crowd strike story going pen and paper in retail environment is stressful I had heard the old school uh credit card machines were getting a roll out uh you know the chunk chunk get your carbons ready uh so uh I am so sorry if uh you are dealing with that or across any industry right I mean I I've been seeing some uh some horror stories at airports and stuff like that so I hope everybody's getting through this okay and uh I apologize to all the uh security folks that are burning the midnight oil this weekend uh after this so that not great and before we get out of here was there any story that was a thumbs up or an eye roller for you uh either in our lineup or over the course of the week you know I I think uh there's some really speculative speculative stories out there um one that we had discussed previously was was uh around you know the activists that that went after Disney claiming that they were um you know trying to defend the artists I I you know there might be truth to that there could be but every single attack has two or three people that want to claim uh claim responsibility and and I just feel like that's a it's a stretch to believe that one so I I give that one an eye roll yes definitely that kind of seems like the more we find out about that null bulge group the uh the sketchier maybe it turns out people that uh are doing that maybe maybe just doing it because they want to make some Mone yeah who knew who knew thread actors would be like that uh so uh Adam Ariano the former VP of Enterprise cyber security at PayPal thank you again for being here where can people find you on the cyberspace uh if they want to keep track of what you're up to yeah LinkedIn is a great way to do it it's where I publish all my articles uh most of what I write and publish about has to do with leadership and Technology because I think every other subject is well covered so I'd encourage people to get uh onto my LinkedIn page go to the Articles and read a few things uh there's some pretty fun stories in there we will have a link to your profile in the show notes thanks once again Adam this was truly spectacular thank you also to our sponsor conveyor Market leading AI for trust Center and security questionnaires uh visit them at conveyor doc that's c n v yo r.com also thanks to our audience today you know we can't always get every single comment up on screen I know uh CCL listen I said N1 I meant N1 minus one you knew it I knew it it's this is you know this isn't the easiest job up here okay I'm trying to keep track of everything I appreciate you being very nice to me and let me know about that but we can't always get everything up on screen I love seeing all the comments in here I absolutely love it please we would love if you haven't joined us already join us in the live stream it would mean a lot uh and uh I will react to one of your comments or something well you get a heart maybe I don't know I'm not making any promises actually uh we will not be having a super cyber Friday next week but that's because David spark in the seeso series Juggernaut will be on the road participating in the San Diego cyber group meetup on Wednesday and then another Meetup of ceso series fans and cyber Pros on Thursday in Portland Oregon on Thursday we were trying to get him to go up to Canada uh but he said he wouldn't keep going north you can get more information on these by going to the events page at cesos series.com be sure to check those out but we'll be back next week with this show at 3:30 PM Eastern in and for another week in review super exciting in the meantime you can of course get your daily news fixed every day through cyber security headlines give us about six minutes we'll get you all caught up until the next time we meet I'm rich stalino reminding you to have a super sparkly day cyber security headlines are available every weekday head to cesos series.com for the full stories behind the headlines [Music]