Cybersecurity Mindset is Always On, Everywhere

Set it and forget it. That’s how digital security technologies used to work. Not anymore, according to Davis Hake, Adjunct Professor of Cyber Risk Management at the University of California, Berkeley, and co-founder of Resilience Insurance, a company that provides coverage against ransomware and other cyber-attacks.

“There needs to be more focus on what you do ‘right of boom,’” military parlance for how to quickly pick up the pieces following an attack and avoid catastrophic repercussions, Hake said. 

“To date, most emphasis has been ‘left of boom,’ on prevention.”  

With attack surfaces more widespread across governments, businesses and people’s personal digital footprint. Everyone needs to be on high alert in order to protect valuable information.  

“You have to be ready to respond,” said Hake. “Your business has to be set up in a way that is flexible enough and you’re prepared enough that if a large attack does happen, it’s not catastrophic.”

In this Tech Baromer podcast segment, Hake explains how IT security has evolved since 

he served as a cybersecurity policy expert in the U.S. Department of Homeland Security under President Obama.  He has spent his career immersed in the war on cybercrime and operates at the forefront of the latest advances in IT security technologies. 

Security challenges are not exacerbated by cloud technology, per se, but by that rapid, widespread disruption they’re bringing to how things used to be managed. Many cloud projects were accelerated by as much as five years because of COVID, he said. 

Those companies are “finding themselves in a hybrid environment” that they haven’t spent years learning to protect yet, he explained.

If configured properly, for example, hybrid multiclouds afford “potentially greater security through diversity of services,” said Hake.

“It’s not what you do, it’s how you do it,” he said. “If you use resources across several cloud providers but don’t understand how they all work, you’ll be in a worse [security] situation. If you plan things out, with the right configurations, then being spread across different buckets and regions with more segmentation [helps keep a] breach in one place from taking down the organization.”

Transcript (unedited):

Davis Hake:  The attackers inherently have the upper hand as they're looking to damage and break the systems. It's not just how you protect from attacks but how you build resilience against them. This might be, this might be strange for a cybersecurity expert to take this position. 

Certainly, I do remember a day when I had to go to the library to check out physical encyclopedias or my books. Still, having grown up with the internet the majority of my life I have been accustomed to, and I think younger and younger folks are accustomed to, the internet being an open place and that the structure of the internet being distributed and being open for use is the fundamental benefit of this system. And it’s what is driving the fourth industrial revolution that we're going through right now. You could say designers, should they have made it more secure from the outset? Would that have been a trade off in all the benefits we're seeing today? Hard to tell. 

Jason Lopez: Davis Hake is a lecturer at UC Berkeley School of Information where he's taught courses in managing cyber risk. And he's the co-founder of the firm Resilience Insurance. This is the Tech Barometer podcast. I'm Jason Lopez. This is one of those “how to re-think about something” stories. In this case, we're picking Davis Hake's brain about his thoughts on the fundamentals of security in a hybrid multi-cloud world. We'll get to that in a moment, but let's complete his broad brush view about the openness of the web and the trade off of the benefits versus the vulnerabilities. He says we've put a lot of emphasis on the benefits but maybe haven't given the realities of the vulnerabilities as much thought. Hake thinks that security on the open seas of the web should simply be a part of operations.

Davis Hake: Okay, we've built this system and this network. How do we stop users on this network from harming each other over this network? And I think that we need to not just think about vulnerabilities and patching vulnerabilities but how do we start building products and ecosystems that help protect the users that are using them in a way that the system can still be open and accessible, and still encourage innovation and, and drive sort of our global economy.

Jason Lopez: So let's drill down into the enterprise. Here's the example, the mitre attack framework, which basically approaches security from the point of view of the intruder instead of an engineering approach, attempting to fortify everything, it asks the question, how would an attacker compromise and use the system? The answer to that question generally starts by prioritizing security measures aimed at protecting vulnerabilities likely to be most damaging to the business or to customers. The to do list might start by limiting the attack surface or putting protections in place to limit attackers from moving laterally or escalating privileges. Hake emphasizes that as much as we've put into the prevention side of security we need to think about realities. As much energy needs to be put into the recovery side. 

Davis Hake: This is where we're seeing a lot of research done by our data team and all the industry at large in saying what are the best investments? So that if there is an incident it’s contained, your security technology has limited the damage that it would do to a network. And that if there is a bit of catastrophic damage, what are the best practices for coming back, for taking that punch and standing back up in a way that it actually is probably stronger than you were in the first place? Because post-incident you know a lot about these vulnerabilities you might have had. And you're looking at putting a lot of more investment in the places that maybe previously you had overlooked.

Jason Lopez: Hake says cloud native has revolutionized enterprise computing, especially for startups where it's economically and security-wise, significantly easier, especially not having to deal with legacy architecture. It allows a company to launch a new production environment with less effort than compared to trying to keep older equipment and systems working. 

Davis Hake: Hey, there's that server from ten years ago that we completely forgot about but is still attached to our entire backend email system and is a vulnerable point of our attack surface. So I think being cloud native has been a game-changer for startups but also for small companies too that don't necessarily have to invest in the hardware and then keep that hardware for years to recoup that investment. They can deploy a new system. They can shut it down if they don’t need it anymore and jump into something else.

Jason Lopez: So now the questions of the hybrid multi-cloud. We're in a moment of development in which most companies, even governments, are not betting on one cloud provider, but using different systems, working together, whether owned or rented. And now during the past couple of years of a pandemic, this energy has been accelerated as many companies ask, how do we move everything to the cloud? 

Davis Hake: As a startup, we've been cloud so we've developed a lot of our security policies around that from the start. But you're an environment that's, you know, um, you know, uh, there's a lot that you have to rethink your security strategy, right? And so I think that that is where a lot of the security conversations that we talk about with our students, Berkeley come in saying, you know, security, isn't something you can set forget, right? Technology is going to change. And it's your responsibility as the, you know, that essentially owning cyber risk to enable that technology to be used in a, in a safe way, right. It's not to turn that technology off, stop it from being deployed, but it's, how do you consider the risks and adopt your investments to, to mitigate those risks? And I think, you know, when you look at cloud that way, right, there's actually a lot that can be leveraged to help secure systems even better, um, through the cloud, right? I mean, this idea of, um, shared responsibility where, you know, cloud providers are responsible for the security of the cloud, your entity is responsible for the data in the cloud and use of the cloud, right? Um, that's a strong core concept that is, if it's not understood, <laugh> can lead to, you know, problems at scale, but if it is well understood, it can lead to incredible results at scale, and it can make a lot of old existing it practices, uh, exponentially easier to secure systems, right? 

Jason Lopez is executive producer of Tech Barometer, the podcast outlet for The Forecast. He’s the founder of Connected Social Media. Previously, he was executive producer at PodTech and a reporter at NPR.

© 2022 Nutanix, Inc. All rights reserved.  For additional legal information, please go here.