Token Security Podcast | Alan Daines Chief Information Security Officer at FactSet on Phishing

Screen Shot 2019-03-22 at 10.17.02 AM

About Token Security

At Token Security our goal is to teach the core curriculum for modern DevSecOps. Each week we will deep dive with an expert so you walk away with practical advice to apply to your team today. No fluff, no buzzwords.

About This Episode

In this episode Max Saltonstall and Justin McCarthy are joined by Alan Daines, Chief Information Security Officer at FactSet to talk about phishing, educating on it, and defending against it.

About The Hosts

Max Saltonstall

Max Saltonstall loves to talk about security, collaboration and process improvement. He's on the Developer Advocacy team in Google Cloud, yelling at the internet full time. Since joining Google in 2011 Max has worked on video monetization products, internal change management, IT externalization and coding puzzles. He has a degree in Computer Science and Psychology from Yale.

Justin McCarthy

Justin McCarthy is the co-founder and CTO of strongDM, the database authentication platform. He has spent his entire career building highly scalable software. As CTO of Rafter, he processed transactions worth over $1B collectively. He also led the engineering teams at Preact, the predictive churn analytics platform, and Cafe Press..

Max Saltonstall 0:00
Welcome to token security podcast. My name is Max Saltonstall from Google. And today we’re joined by Alan Daines global CISO at FactSet. Morning or afternoon, what time? Is it? where you are?

Alan Daines 0:24
It is early afternoon. Awesome.

Max Saltonstall 0:27
So can you tell me just a little bit about what is your overall perspective on on what you need to do to keep facts that secure me you’re looking at this from a global level?

Alan Daines 0:37
I’ve come into relatively new organization here in the past year, and had a very exciting opportunity to come and build a world class security organization. When you’re kind of the guy they brought in to ensure that everything is secure, have you kind of have a anything that looks or feels like security is really on you.

Alan Daines 0:57
And so I have this fun challenge of exploring and company and understanding what looks and feels and smells like security and where the conscious lens on what is the right thing for us, you know, our clients who are extremely important to us. So making sure that we’re safe guarding our clients is a primary driver.

Alan Daines 1:15
But the more you spend on security, the more you take away from enabling other parts of your business to succeed and build products. And we’re a big technology company. So there’s a continual balance on what is the right amount of security to apply both from a cost perspective, and from an innovation and just restricting people to be as creative as they might otherwise like to be.

Alan Daines 1:47
So it’s been really understanding what that looks like here effects where we should buy more where we should apply less, what things we doing well, and building that story so that ultimately I can articulate my leadership: what is FactSet security posture? Is it good, bad, ugly?

Alan Daines 2:05
And should we be progressing on that anymore? What does our current state look like? What should I target state look like? And should we be building a roadmap that takes us on a journey that further matures our security posture. So lots of fun and doing that, particularly when you do that within a new organization and getting to understand how the business works, and all the delicate intricacies that go into something like that.

Max Saltonstall 2:28
So it sounds like there’s this mix of learning, but also socializing kind of What’s your goal? What’s your target state? Does that mean that the other leaders at FactSet don’t have a clear sense for what they should be doing or what they should be targeting for security? They’re looking to you?

Alan Daines 2:44
I think they there is a really solid understanding what security means. And there is then looking at me on to, is that okay, is that good enough? Should we be doing more? And so that’s some really fun conversations where I was actually surprised to see the appetite for people asking how can we do more security? I wasn’t really expecting that level of actual appreciation and understanding, I think I was expecting to be a bit more refined of this the supply more controls and more security people like, well, this is great. But should I be doing more? What could I be doing better? Is this good enough? I think they want the reassurance that either what they’re doing is great, or we need to be doing more. Could we be doing more, and they’ve got an appetite to go consume that. So that’s actually very refreshing.

Max Saltonstall 3:33
Sounds like good partnership then between your security teams and the other teams internally?

Alan Daines 3:38
Yeah, absolutely.

Justin McCarthy 3:39
So there’s one area that we’re going to focus on in this conversation. And it sounds like among a broad set of security topics that you’re partnering with sibling orgs on. There’s there’s one that actually I think we’d like to go deep on today. And that’s the topic of fishing, educating on fishing and defending against it both on the human factors, as well as if applicable, any of the any of the technologies are involved.

Justin McCarthy 4:02
But first, I’d love to just have your view on this is 2019. Why is fishing, something we’ve heard about forever? Shouldn’t this be a solved problem by now and and what does it mean to you in the day to day,

Alan Daines 4:15
So I think it was funny, because a few years ago at you know, around the, you know, the big boom of security in 2013 2014, when we also have got the wake up call to say hey, all those security guys, you know, what we’ve been talking about has become realized with you know, these mega breaches that started to happen. We also started to look at what how these things happening.

Alan Daines 4:36
Because to be honest, prior to that most companies weren’t really aware of they’ve been breached on the mega breaches start to happen, we start to invest in more technologies to go into tech, the more we invest in, in detection capabilities, the more we realize we had problems, I’m talking generally within the industry.

Alan Daines 4:53
So that’s where you start to see more and more breaches get announced. And the more we start to look at it, the more thing well, how they getting in. I remember looking at statistics A few years ago, and it was like 40% of breaches were coming through email and through fishing campaigns, 50 60, 70 – the last statistic i saw i think was like 92 point something percent of all breaches start through a fishing campaign.

Alan Daines 5:16
And it’s not really a surprise when you start to analyze how they happen. Because how easy is it to identify what the email domain is for a company you’re going to go after? How easy is it then to go write a script that just formulate every first and last name at that particular target domain and just pepper them with emails, remember you just need one person to click on an email and compromise the system for it to then infect the system and then start to laterally move and gain gain a foothold.

Alan Daines 5:46
And so I think a lot of it has just become the the ship is in which we can get compromised through an email and the tiny amount of money that it costs to actually implement that.

Max Saltonstall 5:58
Do you think the that broad shotgun approach to fishing is more common than spear fishing and focusing on specific high value targets?

Alan Daines 6:05
I think you see a bit of both. I think in the in the average company, it’s more of a just a spray gun, the way you analyze some of the big really complicated breaches then much more result of the spear phishing campaign. And because it’s such a socially enabled environment. Now, as a community, everybody knows, you take your target company, you can go research some on LinkedIn on Glassdoor, and other things. And it’s very easy to build a map of who the right people are had to go then target at one key engineers or you want the CFO or you want to see the number of times you just regularly see the CFO in particular that email is spoof, versus them actually being a tiger fishing campaign.

Alan Daines 6:54
Because now you can go speak to the CFO, you can take an email that looks like a quick Hey, I’m just jumping on a plane to name faraway distant land, I’ve been on a plane for 14 hours, we’ve got this urgent deal, I need you to pay this within this, I’ve got written six hours to get deal on the way on a plane for 14 hours. Don’t let me find out this wasn’t done.

Alan Daines 7:14
When I got off, you find out who the CFO is, you can easily find some typeface to go set, make an example of what an email from that person would look like spoof it to come from CFO use a social media platform to identify just the right level of finance person that isn’t so senior, they would have a relationship with the CFO missing some Junior that they couldn’t go pull the trigger on that the number of times that worked really, really easy.

Alan Daines 7:39
And it’s almost zero risk and doing it you can just send a bazillion dollars to every company think are going to compromise a system you want to go after something very specific on now if I want the so and so code for an application on a particular company, I go research that company, it’s fairly easy to find out who the engineers are, they probably happily advertise what they do and what they work on to now you’ve got your targets, you can probably guess or email and you just have to pepper them. And at some point, you’re probably going to find some way of getting through and whether it’s an attachment or a link or something. There’s such a simple way. Again, it’s such a low risk and such a low cost taken email asking,

Max Saltonstall 8:19
How do you stop that from being an effective strategy?

Alan Daines 8:22
Was probably two primary mechanisms. One is through technology. So thinking about all the different solutions that are out there, if any of you were at the RSA conference recently, the expo hall is now so large, there’s 4000 plus vendors, I think, in the security space, the majority of them are probably that you could pick up team different tools.

Alan Daines 8:48
But if you aren’t first focusing on what your email security solution is, you probably missing something, if you think king of email is the door in which the bad guys are trying to sneak in either barging through or sneaking in.

Alan Daines 9:01
That’s where you focus your technical controls, have good technical controls around email, because then you stop them getting them in in first place, have good technical controls on your end point. I think antivirus has come a long way from where it was many years ago as a single antivirus agent. Now it’s got heuristics, you’ve got empty ATT type capabilities, advanced persistent threat, as a lot of sophistication that goes into having visibility into your endpoints, because ultimately, if they have an email through your clicked on it, that click is probably going to try and download something malicious onto your system.

Alan Daines 9:38
So if you then least got the sophistication and detection capabilities on your end point, at least, you know, it’s happening might not prevent it from happening, but at least you know, it’s happened. And so at that point, then it’s investing in the ability to go and actually allow on that protection taking place. So you would then start to think about how you invest in visibility within your environment. So you’ve got a detection, it’s gotten through the least you’ve been able to alert on it.

Alan Daines 10:05
Now do you have the skill set and the people in a real security operations center or somewhere where they can actually receive that, and understand that, if you think about the number of times you’ve seen a breach in the news, they actually had the right tools, there’s some the industry leading best tools, recognize, and you’re never going to prevent a lot of these things and all the alerts are there. But they haven’t done anything with them. It’s very common mistake to go and buy tools and technology, deploy them thinking you to configure it and they become a set and forget and move on to the next tool to go to play.

Alan Daines 10:37
There’s really two sides to taking a tool, there’s the installation deployment, and configuration that at all, and then there’s the consumption of the output of what that tool is putting that together. So if you think about that life cycle, if I just kind of reiterate it, you know, ideally, you stop them coming in the door with some kind of email protection filtering type of solution, your email gateway, if they have gotten through, they’re going to try to install something on an endpoint system.

Alan Daines 11:03
So having good Endpoint Protection, a next generation anti virus, so to speak, that at least alert to that something’s happened that may not prevent it from happening. And at that point, how you then receiving those alerts going into some kind of suck. And actually responding to those alerts and identifying that, hey, this thing happened over here on our system, that actually might be a bad thing. And I need to go look, because very quickly, they’re going to morph from a piece of malware that installs down on the system, they’re going to move quickly into they want to become Alan or they want to become Max, I want to become Justin.

Alan Daines 11:39
And now they’re just a user, that just hopping around and Max is going to go to as Exchange Server because max ghost as Exchange servers get an email, they don’t know that. Really, Max isn’t Max, Max is a bad guy. And they’re actually dumping Max’s mailbox to a PSD file. And they’re going to try and copy it. Africa network.

Justin McCarthy 11:56
So Alan, I have a question about that kind of, when I think about it, you know, the ultimate goal of impersonating someone after a successful fishing event, I think about it actually on a on a relatively small team. It’s been a tractable problem to build a culture of awareness, in addition to technical training, a little bit of a culture of skepticism, specifically around essentially all email.

Justin McCarthy 12:21
So so you know, if there were any, can you just open this attachment real quick? For me,

Justin McCarthy 12:25
I’m sorry, it’s not working on my computer. I’m happy to see when a team member says like, Hey, does it make sense that this customer would be would be emailing me something about an invoice right now? I see questions like that in our chat channel, this kind of kind of correlating email events that are happening. I’m wondering, I have no clue how that might scale up to an organization as large as facts it So can you tell me a little bit about how you might achieve that skepticism or whether it’s implanting that skepticism is intractable. And therefore you have to rely primarily all the tools?

Alan Daines 12:56
Well, I think that was kind of where I was, eventually, my mobile rambling tales of technical controls, you know that the second aspect to preventing those happening is the training and awareness, you can put all the technical controls in place that you want, but there’s always going to be an aspect way, and users have the ability to do something crazy. We’re human its human nature. A lot of this is easily preventable, if you educate your workflow.

Alan Daines 13:23
So it’s one of those, it seems such a soft and silly thing to our about training and awareness. But it’s often one of the most valuable mechanisms, we have to go about this. Because if you are trained well enough to go and recognize that this is malicious, and amazingly, Max isn’t sending me a link to sign up for something where if I give him a few dollars, you can send me a million dollars next month.

Alan Daines 13:49
If you’re smart enough to recognize that, then all of a sudden, people aren’t doing sleep things that trains you know, I tried to train my way final, these are get a lot of emails from our bank saying, hey, you just got locked out or a fraud prevention because they’ve gotten smarter and smarter. And hey, we can here’s what the banks do to make your way. Well, let’s kind of piggyback on that. And we’re well trained enough to recognize our bank is never going to ask us to log off the never going to ask us to click on the link, they are going to tell you to go to your online account and do something they’re not going to say here is the link to go process that step.

Alan Daines 14:26
But if you haven’t learned that subtle difference, you may just go click on that link and follow their instructions log into your bank, it may look like your bank because they’ve got a pass through but they’re just captured your credentials. And so so much of that still heavily relies on how do we educate our workforce. In past years, we’ve done some really big campaigns around fishing awareness, using some really great products out there to effectively test your employee base, send a series of emails out there over a period of time see how many clicks through?

Max Saltonstall 14:59
Does it work, though? Did they get better?

Alan Daines 15:01
So statistically, I’ll give you this from something they did probably a couple of years ago, in a past life, we probably had a I think it was like a 53% failure rate, initial test. Then we went through an extensive amount of training and awareness in a number of different forums. And we got some great coaching, we had some really good comes training and awareness, people that really kind of drill the message in that said, you know, focus on a particular point.

Alan Daines 15:30
And reiterated don’t kind of do one thing, move to the next thing, the next thing, take a key message like fishing wise bad and here’s how it happens. And drill it in. And we have like intranet communications, blog posts, corporate, you know, whatever social caste type of messaging platforms —

Alan Daines 15:50
Which is putting a lot of work internally into this training, like it’s both your time and everybody else’s time.

Alan Daines 15:56
It’s a lot of effort. But we was mostly successful, but was it was really short and sweet. It wasn’t, hey, go take this, this 30 minute training thing or read this 15 page document, it was, you know, you can fit it in a single window of an email, it’s fishing is bad, because bullet bullet bullet summary, it was that short and sweet.

Alan Daines 16:16
And just more or less the same message with a couple of examples over different forums. And we will sub 10% failure rate within a year, which is good because we were getting pretty nasty with our fishing campaigns are like, I would have to think twice before clicking on some of these are not clicking on some things. They were that good?

Max Saltonstall 16:35
Is there a way to prevent the damage though, instead of because I don’t think you’re going to ever train all the people to not click and a persistent, focused attack, you know, really sophisticated spearfishing, they’re going to get someone to click eventually. So how do you minimize the blast radius? How do you minimize the amount of damage a successful phishing attempt can do?

Alan Daines 16:55
Then it becomes a combination to how well I’m training and what technical controls you have in place. Really, it’s a combination of the two. So he says, if you’ve got 10,000 employees, and you send an email, or 10,000, however, you know, if you’ve gone from 50%, failure rate of 10% failure rate, you still got 10% of that population is going to click on it,

Max Saltonstall 17:16
I now have 1000 accounts inside your company. Hooray.

Alan Daines 17:19
And so then it’s what technical controls to have in place to prevent it, or what is my vulnerability posture look like because really, most of the time the malware is coming in it’s, it’s, it’s going to try and compromise a vulnerability on the system. And ideally, if you’ve got you know, a cleaner environment, there’s less likely they’re going to compromise the vulnerability. So that becomes then your third avenue of protection is fundamentally is don’t exist to exploit in the first place, then malware trying to exploit them as less likely to be successful.

Max Saltonstall 17:51
I like the idea of cleaner systems, right? But it’s sort of cleaner, but not clean, so are totally clean. But you now got this this Fisher person who he’s got, you know, 1000 compromised accounts, even if they haven’t dropped any malware in. That’s a lot of data x filtration or that’s a lot of lateral movement. So can you tell me a little more about what you would recommend doing so that when those phishing attempts are inevitably successful, even if it’s 5% of the time, you’re not losing all your social security numbers or payroll data or something?

Alan Daines 18:24
Yeah, I think then it comes down to what what does the inside of your environment look like, if you have a big open flat wide network, and Max lost his account because he was he was duped by Justin. And, and just to Max has access to everything in the company, whether he needs to, and then all of a sudden, the blast radius is certainly larger. If you’ve got you work in a more segmented environment. And you know, Max works in a particular you work in a particular function.

Alan Daines 18:56
And so that’s much more siloed off your environment is more segmented, that’s a good stuff. If within your environment, then you only have access to the specific applications, you have at least privileged operating model, I think that helps as well. If you then think about, well, what if I don’t really care about Max’s account, I don’t really care who’s in my environment, because I understand what my high value assets, as you think about, you know, every company has bucket loads of data. But how much of that data is actually stuff you care about probably a really small amount in the larger volume sense of the math. And so if you assume, probably less than 10% of your day, and maybe 5% of your day, and maybe less is actually stuff would classify the on a certain level, then it kind of comes back to what are your foundational security policies look like?

Alan Daines 19:46
Do you have a well defined security policy framework laid out that then starts to look at your data classification standard, and your controls that go into that, if you’ve got a good set of policies, and a good set of controls, something like a really robust data classification policy exists? Well, if you’re hearing, you’re able to adhere to that. Now, you know, what you’ll important data is and your data classification policy is saying maybe it’s defined four levels of importance, public information. So this stuff is just happening out on your your public website, you got your internal inflammation that again, you don’t know put it out in your website.

Alan Daines 20:28
But if it got lost as a zero value, which is where most of your day is actually going to sit in that bucket, you’ve got a tear above that, that this is a little bit more sensitive, and I’ve got some, maybe employee information means some client information, but it’s not hugely damaging, it’s not credit card information. It’s not health care information. It could be some intellectual property of the company owners, but it’s not massively damaging. And then you’ve got your top two, or maybe your top secret or how you’re highly confidential, whatever you want to call it, will endure that patient span and hopefully your different well, within these criteria levels, now going to secure my data to handle my data management data in different ways and talking about encryption, in transit encryption at rest of the controls and these privilege, key rotation, whatever those things may be, that all starts to apply.

Alan Daines 21:18
So if you have that foundation there, and then you start to ensure your companies are hearing to that is starting to build maturity in the way you manage your information from a true data governance perspective, because now you take that concept to the other end, I’ve got a really mature Data Governance Program, I know when my day or is I know which of it is classified which level. So I’ve effectively defined what my important data or my high value assets, I think of focus on my technical controls, because they are defined power classification on my highest value assets. So now say I’m a company, process orders online website.

Alan Daines 22:00
And so really my highest value assets, my customer data, my customers information, customers credit cards, everything else is from a security perspective, relatively low value. And all of them were about as more maybe an availability of my website. But really, you could come in and just have acted with in my environment, it would be a problem, but it’s not something I’m going to have to disclose. It’s not something I’m really going to going to damage my brand. As long as I protect that particular aspect of my business. That ultimately is how you massively reduce the blast radius. But easier said than done. Who knows where all the data?

Max Saltonstall 22:35
That’s a topic for another episode? Where is my important data? Yeah, I would love to get into more specifics, not like which products but specifics around? How do you decide the way to do that sort of segmentation or the role based access? And I think that talking more about the blast radius would be really interesting.

Justin McCarthy 22:53
Mostly, I do have one that I want to go for it. I want to try back on back on fishing itself. Yeah, sure. Max, the the plan to distract Allen with a podcast while we infiltrate as organizations working,

Max Saltonstall 23:04
it is not sure I he didn’t click on the link that I sent him.

Justin McCarthy 23:09
But he’s doing this whole interview. Like he’s totally fell for it.

Max Saltonstall 23:14
I’m very valuable. And I think fishing is funny because at least one of the experts who I really admire, she likes to say, you know, you can get someone to click on anything, you will never stop fishing. So what you need to do is stop it from being a big problem. That’s kind of what I’m trying to get into is like, Well, what do you do? If you accept that you’re going to get fished, you’re going to get compromised? Like there’s probably someone in your network right now, we shouldn’t be there? How do you limit them from really causing a lot of harm?

Justin McCarthy 23:41
So Alan, let’s, um, let’s actually switch hats for a moment, let’s put on our red team hat. And like, let’s just let’s just design a really effective, efficient campaign. Let’s go rogue and try to do this. So like, what are some elements that you want to include to do a pretty good job and let’s say it not spearfishing, but let’s say it’s like one of the either spray and pray ones or maybe more broad one. But what are some elements that we’re definitely going to include have pretty good chance of success?

Alan Daines 24:09
Well, I think I would research the company a little bit beforehand, understand their line of business law, things they’re likely to be interested in. If I’m doing a spray and pray, then it I probably have to do less research into the individuals, but I’m going to want to understand the domain names that they use for email just is not always assumed.

Alan Daines 24:31
So making sure I understand the right email, and what’s the geography that they play in? Is it just one particular country or a global therefore, you know, if I’m going to build my, my list of names, then I’m at least you know, playing in the in the right area? Do I understand what the email structure is, you know, first initial last name is it first name, dot last name, you know, that kind of stuff, just to kind of built bill that, if I can reset as much on individuals that work there as possible, and really get a dump of LinkedIn or somewhere to actually get real users real names, that helps as well, if I can populate it with as much likely in that knowing that there really is no adjusted McAfee working at this particular company, it’s actually going to obviously help, then I’m going to want to look at visually, what does the company look like, because I want to make this as realistic as possible.

Alan Daines 25:28
Because I may want to say payroll, or HR or something, or depending on my style attack and may want to do something a little bit more creative. Maybe I’m going to wait for the holiday season. And that’s a particularly dangerous time, because everybody’s buying, everybody’s getting additional messaging, everybody’s looking for office. And so if i in a depending on the industry, and I can hit on a particular enticing offer that may play well into the employees at that particular company, I’m going to do that, hey, you know, especially for company x is everybody.

Alan Daines 26:03
And we’ve just done a big deal with your company, and everybody’s going to get 50% off or so and so click here to register for your discount code and go to our website and use this code at checkout. And all of a sudden, you’ve got something really compelling. And that’s all honestly one of the best ones is it really compels people, people get excited. And if you can emotionally tie, then you hook people more. I’ve talked in the past about the emotional side of leveraging things like you know, other social media platforms, and particularly more on spearfishing, if you can tie into, hey, if I know that Justin has this in his family or business personal life, and I can hook into that I’m a lot more emotion tied to try and to jump in and deal with it. And be involved Am I am, oh, it’s a boring work thing from HR, which may get me It may not I offer from so and so who knows if I’m going to be interested, then, you know, 50% off of TV on Black Friday.

Alan Daines 27:03
But if I know that, you know, your personal passion is this was in your family because you put all your information out there on Facebook, I can hook you and really are in a really interesting way. So I think it’s then finding what that hook is. And then building a message with the appropriate graphics, you know, try and keep the grammar correct, because that’s honestly one of the biggest giveaways is poor grammar. So the first thing that

Max Saltonstall 27:28
matters, it really does you

Alan Daines 27:31
know, as a Who would have thought it.

Justin McCarthy 27:33
Do we have any grammar sponsorships for this podcast? That would be good. We need one. Yeah.

Max Saltonstall 27:37
Yeah. Good question today brought to you by.

Alan Daines 27:41
So if you can, if you can make things grammatically correct, it looks like it comes from an individual you trust. It looks like a brand that you recognize, you know, the more recognizable it is and the more accurate it is, the more likely it is to get through it. That’s how I would put it together.