Threats Are Only Getting Worse: A Q&A with Carbon Black’s Tom Kellermann

At the RSA 2019 Conference this year, Early Adopter Research’s Dan Woods spoke with a number of cybersecurity professionals. One conversation was with Tom Kellermann, chief cybersecurity officer at Carbon Black. Woods asked Kellermann about his three key cybersecurity questions for 2019 and delved into the future of cybersecurity in general. This is an edited version of the conversation and the podcast can be listened to in full here.

Woods: What was your background in cybersecurity?

I’ve been in cybersecurity 22 years. I was a hacker for 10 years before that and I was turned by a college professor at University of Michigan. My first position was at the World Bank Treasury security team where I was for seven years. We were investigating the future of electronic finance and the risks and externalities associated with connecting all the central banks of the world to the Internet. The World Bank and the central banking community at that point was very much caught up in PKI, otherwise known as non-distributed modern day blockchain. And we realized that there were a number of ways in which that could be compromised. And from there, I was one of the founders of Core Security, Core Impact. Before the Metasploit framework, there was something else that people used as a skeleton key for the Internet. I trained government and banking red teams on how to get in and out of systems and develop exploits for vulnerabilities. Then I was at Trend Micro as CISO and then I spent two years as a venture capitalist investing in tech transfer out of the intelligence community, the cybersecurity community, banks and now I am I think on my last and best job ever, Carbon Black, chief cybersecurity officer.

How could you use the NIST framework of identify, protect, detect, respond and recover to explain the product footprint of Carbon Black?

Carbon Black is a 16-year-old firm whose technology came out of the NSA. The founder and my boss, Mike Viscuso, the chief strategy officer, was on the tailored access division of NSA which is a euphemism for the offensive side of the ball. And Carbon Black actually pioneered the original protection capabilities, the whitelisting capabilities that are mandated. Carbon Black also pioneered the response capabilities associated with endpoint detection and response with Carbon Black’s original product, which is CB Response. And then now what we’re doing is we’re morphing into a cloud platform company that provides you with five unique capabilities delivered through a singular agent that can allow you to do protection, detection, and response as well as querying your entire infrastructure and being able to really assess the state of play of the hygiene of your infrastructure but also be able to open a command-line interface to suppress any illicit activity.

Let’s discuss the idea of zero trust. It’s really exciting — instead of having this zone of trust that’s created by firewalls or some other mechanisms that protect you from the outside, you will abandon that concept and instead be suspicious of everyone and then basically create a sort of personalized zone of security around every individual based on what you know about them. You would think that in such a model, something would go away, that you would no longer need the mechanisms that create the zone of trust. But in fact, in most companies, if they implemented zero trust they would actually still have all the cybersecurity they need today and nothing goes away. So what then does zero trust mean in practice?

I think it’s an important shift especially since cloud computing, mobility and the development of applications have allowed for hackers to bypass network security and network defenses and the zone of trust that you described. Given that I’m from D.C., this is very much a secret service model, the zero trust model. It’s about increasing visibility, continuous monitoring, and ensuring that those who have the keys to the castle are the right ones at the right time to access services or credentials. It goes to the point that given that the insider threat has been one of the biggest challenges facing the cybersecurity community, there’s also been the digital insider threat which is where the hackers have maintained persistence on systems through the deployment of steganography or remote access trojans or secondary command and control on a sleep cycle. And so you have to have the capacity to have zero trust vis-à-vis east-west traffic, those things that move within your home, within your perimeter, within your environment. You also have to be able to suppress activity.

So one of the design principles of Carbon Black which is foundationally tangential to zero trust is intrusion suppression. Intrusion suppression basically asks whether you can detect, divert, contain and then hunt an adversary unbeknownst to an adversary. And to achieve that, not only are we investing heavily in R&D and we’re trying to create multiple capabilities through a singular agent and obviously increase the tamper resistance of that agent but we’ve opened ourselves up in our API up to major security players. But zero trust to me is continuous monitoring, enhance visibility and the capacity to suppress an adversary when they’ve already bypassed your perimeter.

What you’re saying is zero trust is just the rational assumption that people are going to get through and that even inside your zone of trust you have to keep checking, keep monitoring, assume somebody has gotten through and keep looking for them.

That’s right. Your perimeter is going to be bypassed, inevitably people get in, whether it’s the good guy turned rogue or the good guy’s device or gal’s device that has been compromised and set to attack your infrastructure from the inside out, you have to be able to stop the attacks that emanate from inside out and then east to west.

Only in a world where you are completely in the cloud, where there is no essential on premise could you actually become a perimeter-less company?

Yes and no — it depends whether you’re a hybrid cloud or a public cloud. Remember, when you move to a public cloud environment it’s much like moving to a condominium complex in a tough neighborhood in a major city. You cannot rely on the concierge and the elevator locks to protect you from the fact that your neighbor had a house party and you didn’t leave your door locked. The metaphor is that you are still responsible for the security of the endpoints and the applications; you need to monitor those. And if you can’t handle it, you should get an alert triage service or an NDR vendor to do so for you which is also one of the aspects of Carbon Black that I’m most passionate about.

Let’s talk about portfolio pruning. It seems like we’ve only had additions to the cybersecurity portfolio, we haven’t had any pruning of capabilities yet where a new capability actually replaces an old capability. Will we ever get to a meaningful pruning of our cybersecurity portfolios?

This is going to go to a question that we should discuss later which is the whole governance cycle or what CISOs are doing. You have CIOs and CISOs who have a religious relationship with certain vendors. And because they were the ones to deploy these capabilities for the security of their enterprise, they do not have a willingness to rip it out because essentially they would be admitting that their baby is weak and vulnerable to attacks in the wild. Part of the challenge of RSA is that in order to fix the 5% problem, you have thousands of smaller vendors who are trying to provide silver bullets to add on to these large vendors, hoping that they get acquired, hoping that they can actually become the answer to the critical gap in the analytics and in the behavioral detections of those major vendors. I’m hoping that this is the year of an awakening, but it’s going to require that CIOs are no longer the bosses of CISOs. Right now, you have a governance crisis in cybersecurity. You have, in most cases, heads of security reporting to CIOs. That’s your defensive coordinator reporting to your offensive coordinator. CIOs nowadays are basically Chief Financial Officers, they’re looking for increased efficiency, increased resiliency, and increased access to services. They’re about uptime and what they don’t respect or appreciate is that the CISO may actually challenge the new mobile app development, the new protocol that’s enabled, the new remote user set that’s been espoused.

What is the tension in the governance crisis?

CISOs don’t have their own budgets and they can never say no to a CIO. A CISO can say, “This is the craziest project in the world; you’re expanding the attack surface of our corporation by doing this thing, Mr./Mrs. CIO,” and that person still has the authority to tell them to sit down and shut up. A CIO basically gives breadcrumbs from the table to the CISO community, and less than 10% of IT budgets are being spent currently on cybersecurity in an Internet environment that is incredibly hostile. The FBI’s number one criminal priority is still cybercrime but prosecution rates are less than 2%.

One of the things that could lead to pruning is pruning of vendors, not necessarily pruning of capabilities because people consolidate things. Another would be integration. 

This is why at Carbon Black we are dedicated to our integrations. We’ve opened up our API for folks to integrate with us, there are hundreds of vendors that have done so not just to capture our customer base from their perspective but also to enable this contextually holistic suppression of activity across both of our infrastructures as they relate to the wild. One of the major reasons I’m part of Carbon Black is because of that culture of integration. In addition, we have an entire defender community of 20,000 folks who are regularly using our hunt capabilities that are sharing TTPs and watchlists as we call them, within our infrastructure to improve the predictive analytics, not just of Carbon Black but of all the folks who have integrated with our APIs.

So it’s possible to have better integration of cybersecurity capabilities without having a few vendors dominate?

Yes and it has to be that way because you cannot be evangelical as it relates to your own capability and your proprietary code. You have to be able to civilize cyberspace. Information sharing is the most important aspect of our community and it needs to be improved because the hacker community shares as much if not more telemetry than we do through their dark web forums.

But there’s a consolidation underway where a few players are gaining more and more capabilities. That is what’s occurring; many of our major competitors are doing that. But again, it’s the same reason we don’t provide services. I’m not going to name names but you’re going to provide someone with a bulletproof vest and a bulletproof car and then you’re going to provide them with gravedigger services on the backside. It’s the same reason that major accounting firms were essentially forced to split back in the day after Enron. You can’t audit someone and provide the answer.

What’s the migration to more cloud-based cybersecurity — when is it going to happen, what’s going to drive it and what are the limits of that migration?

We have 5,000 customers at Carbon Black and we also have a huge bastion of hundreds of government agencies in the US and Singapore and the UK and Germany as well as major financial institutions and 34 of the Fortune 100s that matter that are not willing to move to cloud. And that’s why we have CB Protection and CB Response on prem. We respect their culture, we respect their risk threshold for that matter and their desire to maintain their own security operation centers that are well-staffed, that are well-trained and that are using on prem capabilities. We don’t want to force people to have to make that choice. That being said, the majority of our new customers are moving to our predictive security cloud which is a platform that provides multiple capabilities through a singular agent.

We eat our own dog food, so corporate security of Carbon Black, not only is it protected by Carbon Black capabilities but it’s also protected by companies that we’ve integrated with and we ensure that we are constantly not only eating our own dog food but we are practicing in that environment. I think that the hybrid cloud model is probably best suited for those corporations and industries that are most at risk.

For those companies, what is the hybrid part? What stays behind in line?

For the government model and the financial sector, major tier-one institutions, their most sensitive, critical assets are within a traditional segregated environment. For financial institutions, that high-frequency trading platforms, the portfolio managers’ endpoints that are actually leveraging positions in the international markets, the wire transfer, SWIFT-based systems, and the like which, if it fails, you can be put out of business. The worst-case scenario for a cyber attack is not failure and it’s not theft; it’s your environment being used to attack your constituency.

How many CISOs would be better off not spending on new capabilities but instead spending on training, on using their existing tools better to improve their operational discipline, configuration management, automation, better analytics, understanding where they are?

We need to train as we would fight: offense informs defense. Most of the major attacks are successful because of a lack of ops discipline and a lack of effective training. But there’s something else missing here: they need to conduct regular hunt exercises. They need to actually hunt for an adversary regardless of whether they’ve been warned of said adversary existing in their environment. They need to proactively hunt.

In cybersecurity today, the idea is that the people are the perimeter and so there’s no way that you’re going to get out of having people have a cybersecurity mindset. On the other hand, it doesn’t seem like a lot of companies have been effective in making that just a normal part of business. How do you create that mindset?

You have to have visibility into everybody’s endpoint, particularly if the endpoint is owned by the corporation. You need to be able to capture the unfiltered data from those endpoints to get any kind of telemetry on when this person is acting malevolently or idiotically as it relates to the environment around them. Another thing that’s important here is that people should have just in time administration. It’s a term that’s been used in the DOD for a while — there’s no reason why everyone should have administrative privileges at all times; it makes it a lot easier for an adversary who pops or hacks that box to leverage lateral movement into your infrastructure. These people need to be made aware that cybersecurity is not an IT problem, it’s not even the straight risk management problem, it’s a brand protection problem and whether it’s the brand of the corporation or the brand of you as an individual or the reputation of you as an individual, the day that you are found to be polluting your company, people inherently will mistrust communications from you.

A lot of my friends who are CTOs, CIOs and CISOs are feel uncomfortable about buying cyber insurance but are being forced into it and not knowing how to argue their way out of it. When you look at cybersecurity insurance, it’s often policies that are written where there are huge numbers of exceptions and the claims are frequently not paid either because the insurance is written so narrowly or there are so many escape hatches. If you were a CISO, would you even try to argue against the request for cybersecurity insurance or would you just try to minimize the expense on it?

It depends on the business that I’m in. Most cyber insurance is advocated by general councils who are wary of the strategic acumen of their CISO. Most cyber insurance policies are not covering first party risk — they’re basically covering the legal expenses or the incident response expenses and the notification expenses, not actually the loss itself. It’s well known the insurance sector’s pool of cyber insured is not large enough to take a really significant hit. I find it funny that some of my competitors are offering insurance policies for when their product fails which is another example, I think, of the mythology behind the effectiveness of insurance in a market where the insurance isn’t covering the first-party loss and where the insurance can be essentially disavowed due to acts of war when we are literally dealing with a cyber-insurgency in cyberspace. So I’d say, if you have the resources, do it, if you’re in a traditional, corporate business. But if you’re in a business that has significant assets that involve intellectual property or you’re in the financial sector or if you’re a defense contractor or if you’re in an organization which could be leveraged to essentially create a systemic phenomenon through island hopping where they commandeer your infrastructure and then attack your constituency with it, I think there’s a better use of your funds.

You’re coming out tomorrow with a bank heist report. Why don’t you tell me the history of this report and what it’s going to tell us?

Back when I was at the World Bank, on the World Bank Treasury security team, the first time a report was written about attacks against the financial sector was a book called Electronic Safety and Soundness in 2003. This book spoke to the trends of attack against financial institutions and the failures of the security posture and the failures of governance. Last year, my first year at Carbon Black, I decided to revisit this and interview all of our major financial institution customers as well as our partner customers specific to the threats that are being exhibited in the financial sector but with more visibility than the Verizon Data Breach Report. The problem with the Verizon Data Breach Report has always been, “This is the vector; it’s email.” They’ll never talk about mobile. But that is the vector and they stayed in for this many days and this is what kind of malware we’re seeing. Why did they stay in for that long? We’re trying to really dig into the financial sector and how the criminal conspiracies are evolving, how they are staying in systems for so long and how the most secure institutions and organizations of the world are being breached.

Some of the dark facts are that 67% of financial respondents noted a dramatic increase in cyber attacks this past year that was not due to increased visibility. And 79% of those said there was a massive manifestation of sophistication in the cybercriminal underground. Whether that was due to the fact that you have US government and foreign nations military-grade cyber weapons being used nowadays widely, I’m not sure. About 70% saw lateral movement. They actually saw these folks moving within systems, between systems and then moving out. So they not only got in, they’re moving deeper and deeper into the infrastructure and then trying to island up into associated partners, subsidiaries and/or major customers. And the worst stat was that there was 160% increase in destructive attacks from last year. This means the adversary, not only did they rob the bank but now they turn it into a hostage situation. And they were doing this purposefully. What I found to be intriguing was that when the defenders were conducting incident response, one out of three times they were suffering from counter-incident response. And this speaks to something that we’ve been doing wrong in that we changed the way we conduct incident response. We can no longer just flip on the lights and say we’re calling the cops.

To make it clear, what you’re talking about is that the attacker knew that they had been detected and that they were doing things to avoid detection?

Yes, then they were starting to delete logs, they were dropping wipers in the system so it destroyed subnets, wipers being something that can literally take your machine back to the rock ages. This type of knife fighting now between the defender and the attacker is significant because we used to deal with bank heists that were like smash and grab, break in, take the money from the teller but this is different. And it speaks to the level of impunity that the adversaries are feeling and it also speaks to the fact that they do not want to give up their footprint within the infrastructure, nor will they willingly leave. It’s something we should pay attention to.

Why do you think the quality of the cyber-criminal practice has improved?

From a nation-state perspective, North Korea has been a direct beneficiary of tech transfer from Russia and the Russian dark web. In fact, the great irony of the North Korean attacks against the financial sector where they’ve pillaged billions of dollars is most of those monies are going to the ballistic missiles and capabilities that are being provided by Russia for their nuclear armaments. The best kill chain in cyber, kill chain being the upper-end of the steps that an adversary will take to hunt you in cyber, has always been the Russian dark web model but I think more and more criminal syndicates and nation states are emulating that model, particularly as it relates to the third phase of the kill chain that we would call maintaining a foothold.

What’s the Russian dark web model?

The Russian dark web model is that they recon a target significantly and they then deliver a customized piece of attack code, typically filed as malware or a zero day exploit to an endpoint. The first thing they do when they compromise the endpoint is to escalate privileges or to compromise credentials that will allow them to have superuser access on the device. They then deploy a remote access trojan or a secondary C2 in a Steg file to the device. They then move laterally and do it again, the process, the privileged escalation and deploying two forms of command and control, one of which is on a sleep cycle. They’re still quiet, they still haven’t taken anything, they still haven’t destroyed anything but they’ve now seeded the environment. And they maintain their footprints, many times they even patch the vulnerabilities they’ve exploited for the purposes of counter-IR because they know one of the first things you’ll do as a proactive CISO or IR person will scan to see if the host was even vulnerable to attack. Well, guess what? It’s fully patched. It got fully patched last night. “Did you patch it? I didn’t patch it.” “Did you patch it?” “I didn’t patch it either.”

That reminds me of the funny part of the Target exploit where the actual hackers encrypted their files. Nothing else was encrypted on the point of sale; only the hacker payloads.

That’s right. And that’s just it, they’ll use your encrypted tunnels to run in because you cannot forensically work well with that. This also goes to the blockchain discussion that everyone’s having, thinking blockchain is the answer to everything. Blockchain is essentially distributed public key infrastructure. We’ve seen it before; the banks tried to protect transactions solely with this function before. The great weakness of blockchain and PKI always will be the two ends of the tunnel. The security of the endpoint that can lock the transaction or the exchange itself. Both of which are vulnerable. Most exchanges have terrible cybersecurity. Most endpoints are using legacy stuff to protect themselves. And so the hacker is going to go after the exchange or the endpoint. In fact, it’s so bad in Russia that they enacted a law in December 2017 that stated that any crypto-currency that was moved back into the financial sector, where they could not identify where it came from, you just pay a 13% tax.