NSA security and why “any cyber threat that fundamentally challenges our core cultural institutions is the biggest threat” – Interview

Avatar
By Sam Brake Guia August 13, 2018

Our digital lives are plagued with vulnerabilities. For many of us, we are open to attack due to lack of awareness and knowledge. The best way to combat these weaknesses is to prepare and educate ourselves. But for those at the top of their game, this should be a given, and there is very little excuse for vulnerability and weakness.

This is why it might come as a surprise that the NSA hasn’t implemented post-Snowden security fixes. The NSA Inspector General’s office has published an audit alleging that many of the Snowden-era digital security policies have yet to be addressed, at least as of the end of March 2018. According to Engadget, it hasn’t correctly implemented two-person access controls for data centers and similar rooms, doesn’t properly check job duties and has computer security plans that are either unfinished or inaccurate.

To understand more about the situation, and the threats we currently face in our digital landscape, we spoke with Nathan Burke, Chief Marketing Officer at Axonius, provider of the first cybersecurity asset management platform to help companies see and secure all devices.

As a recent NSA audit has demonstrated that post-Snowden security fixes have yet to be implemented, resulting in many potential security threats. What do you think it will take in order for the NSA to make these improvements? Eg A terrorist threat, damaging leak or attack of a certain level?

That’s kind of a tough question, and my answer can really only be speculative at best. I think it’s important to look at the problem of cybersecurity asset management at the scale of an organization as large and complex as the NSA. It’s funny that in 2018 when we have so much innovation in cybersecurity with technologies like deception, automation, and machine learning that something so simple as knowing how many devices you have and whether they are secure is still really hard.

The issue is that we have so many devices: cloud, virtualization, mobile, BYOD, IoT, servers, desktops, containers, etc. Add to that the many different layers of IT and Security products that manage these devices, and you start to understand why large organizations have trouble having comprehensive visibility into everything in their environment. You can’t secure what you can’t see, and in a fragmented world, it’s hard to get the basics right.

So that’s the problem. That’s why it’s so hard. I’m not sure whether it’s a question of what forcing function (ex. Terrorist threat, damaging leak, or attack) will cause agencies like the NSA to make these changes. I think it’s more of a question of: How can they easily launch an ongoing process to get visibility into every asset and then find the assets that need immediate action to make them more secure.

In response to this looming threat, security expert Richard Bejtlich has drawn attention to the situation, tweeting about the severity of this issue with his 50K followers using the hashtag #biggestunsolvedbutunsexycybersecurityproblem. Do you think to call attention to this issue using social media is the best approach, and if not what would you suggest people can do to address this issue?

I loved that twitter conversation, as it both highlighted the problem, but also had some very clever and funny responses, my favorites of which are highlighted in the video below.

I actually really love the fact that this was a conversation on social media, as it let security and IT experts weigh in on why the problem exists and why it’s important to solve now.

Now, the traditional response from any cybersecurity vendor would be something like “If anyone wants to solve this problem, they should just buy the Axonius product, and everything will be puppies and roses.” But we’re kind of allergic to that approach.

Asset Management Isn’t Sexy from Axonius on Vimeo.

Instead, our philosophy is this: if organizations could connect to every security and IT solution that could give information about assets (Asset-based solutions like cloud, MDM, Active Directory, Network-based products like switches and VA tools, Identity-based products and Agent-based solutions like EDR and patch management), they could then correlate that info to understand all devices so they could ask interesting questions and get actionable answers. These are things like:

  1. Show me all Windows 10 devices that don’t have my endpoint agent

  2. Give me a list of all virtual machines that haven’t been scanned by my vulnerability assessment tool

  3. I’d like to see all unmanaged IoT devices manufactured in China

The list goes on and on.

At the start of this year, MIT published an article listing the most damaging cyber threats our society could face. In your opinion, what is the great cyber threat we face as a society?

That’s an excellent question. I think that any cyber threat that fundamentally challenges our core cultural institutions is the biggest threat:

  1. Government – In a democratic society centered around a fair, accurate, and free vote, any threat to the legitimacy of the electoral process is a huge problem.

  2. Finance – Financial institutions are always a huge target for obvious reasons, but if the public were to lose trust in their ability to keep deposits secure, it would be devastating.

  3. Critical Infrastructure – Without power, water, and infrastructure, everything else is a luxury.

  4. Healthcare – With some hospitals forced to turn away patients due to ransomware and the new threat of weaponized medical devices, threats to healthcare can not be overstated.

  5. Trust – Trust is the common theme about all of the potential cyber threats and is really what is underpinning any conversation about cybersecurity. In light of threats to our government, finances, infrastructure, and healthcare, are we doing the best we can in cybersecurity to ensure our ongoing trust in these institutions?

I understand that Axonius recently added 3 high-profile cybersecurity and innovation experts, Edna Conway, Hardik Parekh, and Tomasz Chowanski to its Advisory Board. These must have been tough positions to fill. What attracted Axonius to choose these three individuals?

When it comes to our advisory board, we’re looking for industry experts with a depth and breadth of experience that will help us understand how to capitalize on the huge opportunity in asset management for cybersecurity. Edna, Hardik, and Tomasz represent some of the largest and most innovative companies in the world, and they all understand that in order to get cybersecurity right, you have to nail the basics. We’re incredibly proud and humbled to have them as advisors, and plan to announce a few more cybersecurity heavyweights as our advisors in the coming months.

Moving forward, what is Axonius’ top priority over the next 6 months?

I’ll give you our top 2:

  1. Getting new customers – Sure, that’s probably an obvious one. As an early stage company that launched our product in March, we’re working with organizations around the world that are trying to solve the asset management challenge for cybersecurity. Since we don’t deploy any agents, the size of the customer doesn’t really matter to us, and we’ve recently deployed at a global customer with over 150,000 employees.

  2. Investing in the product – We’ve already built integrations for over 70 security and IT products, and we’ll continue to improve our cybersecurity asset management platform. We want to connect to anything that can provide useful information about the intersection of users, devices, and how they adhere to security policies. We also want to add more automation into the platform to take action on the insights we are able to provide.

We have releases every 2 weeks, so 6 months seems like a lifetime. But I can guarantee that when we look back we’ll be amazed at the progress.

Disclosure: This article includes a client of an Espacio portfolio company