20 August 2021

Recent Breaches Affirm The Wisdom of Proactive Testing

Synack

The acceleration of digital transformation over the last year has put increasing pressure on security executives to fully engage corporate leadership in driving new approaches to their cybersecurity strategy, increase resilience, and decrease security risk. Additionally, legal offices are continuously adapting to the reality of breaches. An uptick in ransomware attacks highlight the persistent risk to businesses and the demanding task of prioritizing response options in a resource-constrained environment. 

The breach landscape, the consequences and policy are ever-changing and evolving. However, one theme stood out from the discussion: the perpetual value of proactivity and security testing by organizations.

Synack CEO Jay Kaplan joined Cognizant CISO Jason Lewkowicz, as well as Freshfields Bruckhaus Deringer counsel and former Deputy General Counsel at the NSA Brock Dahl at Blackhat 2021 to discuss recent trends in digital transformation with an audience of CISOs.

Jay Kaplan (left), CEO and co-founder of Synack. Jason Lewkowicz (middle) CISO at Cognizant, Brock Dahl (right) Freshfields Bruckhaus Deringer Counsel

 

Legal Adapts to The Reality of Breaches

On the legal front, Brock shared that a lot of clients are slowly learning to consider the legal angles of preparation and consequence for a breach. “Across the different industries I think we’re starting to see our clients…become attuned to the [legal] risks because of these high profile events”.

How does testing fit into the legal precedent today? “If you don’t know what your vulnerabilities are and you’re not trying to understand them as a leader, you’re not being reasonable as a leader. And failing that reasonability test is a bad thing for a litigation environment,” shared Brock, advocating for proactive testing and asset management. “Trying to get a company to invest in preparation beforehand is really key.”

“There are so many of these events that are taking place at an accelerated pace”, Jason chimed in. He suggested that with the history of high profile attacks becoming more prolific, companies should see these attacks as a very real possibility for themselves, encouraging more preparedness. 

 

Ransomware and Supply Chain Attacks

Moving on to ransomware and supply chain attacks, Jay said “if there was a theme for Blackhat [this year], that would be it”. 

From a legal perspective, Brock shared that executives are tending to think of business continuity as the risk, while lawyers are thinking about the legal risk. There’s an opportunity and need for those two conversations to merge, he says, that is just now getting started. 

Jason added his perspective as CISO: “We try and model out…where do we think that we would be prone to one of these types of attacks and would we be resilient against it?” Jason once again emphasized the panels’ point about being proactive in the wake of recent breaches and attacks, sharing his thought process: “Internally I like to refer to it as offensive security. If I can find things faster than the bad guy…that’s a good thing”. Speaking specifically to crowdsourced approaches to penetration testing, Jason shared that “the reality is the attackers are always changing their techniques. And that’s what I like about crowdsourcing. I’m never getting the same thing twice.”

When considering the future of ransomware attacks, both Jason and Brock shared concern for the healthcare industry as a target, with Brock citing it as having “cash-rich organizations that have a lot of highly sensitive data.”

 

Policy – Paying Attention To and Advocating For Change

Jay then asked the panel how companies can become more engaged in policy discussions, especially in the wake of the Biden administration taking a strong cybersecurity stance. 

“One [way] is engagement with trade associations that your particular industry may be active in,” commented Brock. “When you come in as a group, it’s much more effective.”

A second way, he said, is to carefully listen to new standards and executive orders, as well as announcements like NIST’s definition of critical software within the last two months. Doing this can allow your organization to be more educated and ready for conversation in the cybersecurity space. “When you get into more technical issues, the voice of one organization that is technically proficient can have an outsized impact on the way those policies develop.”

 

Looking Ahead

Finally, Jay asked the panel what they thought they would be talking about 5 years from now at BlackHat 2026. 

“The truth is, the bad guys have stumbled upon something fantastic. Who better to pay for your data than you,” Jason answered, suggesting that ransomware breaches would remain a prominent topic. When asked what we could do between now and then to get better, Jason answered that robust asset management and preparation are key, complimenting Brock’s legal commentary around achieving “reasonability” in the legal arena. 

Brock added that CSOs and other technical leaders should be “comfortable speaking in public about their knowledge”, adding that there is a knowledge deficit and need for education about the risks and consequences around cyber security. 

 

Proactivity and Testing Remain Paramount

Overall, the panel landed on a definitive point of agreement: the merits of proactive asset management, crowdsourced testing, and preparedness. As CISO, Jason shared his appreciation for robust testing and wide perspectives, and the extent to which he must continuously ask questions like “who has access to our data? Where does that data live?” In agreement, Brock shared that he challenges his clients to ask “what does the data flow look like? Can you map it? Do you know where the most sensitive assets are?” Such questions speak to the mindset of current leaders; proactive asset management and testing with an adversarial mindset should be a primary focus. 

With the increasing frequency of high profile breaches and ransomware cases, companies should be encouraged to invest in cyber security solutions that best prevent exploitation. Legal consequences to breaches may evolve over time, new policies may pass, but testing will remain a wise investment and proactive measure. Especially as attackers grow more creative and sophisticated. 

The best way to keep up with the creativity and sophistication of attackers is to leverage the diverse perspectives and creativity of a highly-vetted community of researchers. Learn about Synack’s approach to crowdsourced penetration testing, how our model compares to traditional bug bounty, and our end-to-end vulnerability management solution in the Synack Platform

To view the roundtable discussion and hear more of the CISO discussion from Blackhat 2021, visit here.