Andy Powell of AP Moller Maersk discusses lesson learned from a major cyber attack. SE Radio host Priyanka Raghavan spoke with Andy about the 2017 Not Petya cyber attack and the company’s recovery efforts, including how digital forensics helped in finding root causes; how “ways of working” changed, such as introducing secure by design and studying threat types and good testing processes; as well as his thoughts on zero trust networks and the use of machine learning to help detect future threats. The show ends with parting advice on good practices to follow to recover from cyber attacks.
- Wired article on the attack
- Andy’s talk at Black Hat London
- Steps to Prevent a Cyber Attack
- Cybersecurity training resources on findcourses.com
- Episode 288 – DevSecOps
- Episode 385 – Evan Gilman and Doug Barth on Zero Trust Networks
- Episode 395 – Katharine Jarmul on Security and Privacy in Machine Learning
Transcript brought to you by IEEE Software magazine.
This transcript was automatically generated. To suggest improvements in the text, please contact [email protected] and include the episode number and URL.
SE Radio 00:00:00 This is software engineering radio, the podcast for professional developers on the [email protected] se radio is brought to you by the IEEE Computer Society. I is your belief software magazine online at computer.org/software.
Priyanka Raghavan 00:00:24 Hi, this is Priyanka Ranghavan for software engineering radio, the guest Andy Powell, and me worked for the same organization Musk. Hi everyone. This is Priyanka Raghavan for software engineering radio. And today we have an exciting topic to explore lessons learned from a major cyber attack. And for that, please welcome my guest. Andy Powell. Andy is the chief information security officer of AP Moller Musk. The world’s largest shipping conglomerate he’s accountable for all aspects of information security, cybersecurity, and prior to joining Musk, Andy was with cap Gemini as the head of cybersecurity. And before that, he used to be engineering officer and then, you know, went on to serve as the Cecil for the UK Royal air force. And he’s also the head of cyber defense operations for the UK ministry of defense. Welcome to the show, Andy. We just really glad to have you
Andy Powell 00:01:19 Priyanka many, many thanks. Yeah, I was a bit bit worried with introductions. Like that makes me feel very old.
Priyanka Raghavan 00:01:25 Okay. Okay. So, uh, of course I first questioned you before we actually go on to the attack, which hit Musk is could you introduce the audience to Musk and tell us a little bit about, uh, what they do and also about the technology that is used?
Andy Powell 00:01:42 Yeah, AP monomers kids. Um, many people would have seen the mercy logo on the side of ISO containers going around. We moved 20% of the world trade. We are the biggest container company in the world, uh, approximately 750 vessels, which we operate. We also operate in 70 plus ports, its own rules around the globe. Some of which we own some of which we’re part partners in. We also had a, quite a significant warehouse ticket as well for onward transmission. They’re really the most important thing is that we also move 33% of the world’s bananas. You eat cause to move by Mercer. So that’s always a quite interesting fact. I always use when I think the main thing is that most operates in a hundred and 120 plus countries globally, um, thousand plus employees, uh, and clearly given our critical role in world trade. You know, we are a significant capability and also have significant targets as, as I’m sure we’re covered. Very, very sure
Priyanka Raghavan 00:02:45 In terms of technology, I guess you have like a lot of these IOT devices on your ships and vessels and also the dominant. So,
Andy Powell 00:02:53 So today, um, so if we compare today to where we were even three years ago, the attack itself we’ll come on to that as I’m sure within a few questions to say, yes, we have a significant, if you can imagine we have a very significant it capability around running our business. So it’s quite significant range of technologies from SAP to microservice API type technologies, to MIT and runs a quite significant range of capabilities, but also on the OT operational technology side, we clearly have a significant range of OT capability and we’re instrumenting a lot of that at the moment with IOT networks, those IOT networks, video utilizing cloud technology as well. And we have to protect some, provide protection across those networks. And if you could imagine those OT networks or our vessels, that there aren’t any cranes and we have cranes and observables, each of those has an OT device on board to control crane itself, uh, right down to the fact that a number of our ports are fully automated in a couple of locations like Rotterdam. We have a fully automated system in all of those of course have devices. So a significant technology,
Priyanka Raghavan 00:04:05 Right? And a huge attack surface, as you say so
Andy Powell 00:04:08 Well, he’s a very, very good point. It goes, the attack surface itself has grown exponentially in the last three years, three years ago, for two reasons. One is our digital footprint when our vast range of digital services, there’s the volunteers we’ll discuss. If those is the clients given identity credentials to access services through the digital platforms that represents a massive increase in our attack surface each side, of course, it’s the same challenge with the must be expansion of IMT to monitor and instrument. The OT network that in itself has increased our attack surface.
Priyanka Raghavan 00:04:45 Okay. So obviously now we have to get to the chunk of the, what we want to talk about, which is the attack. And I remember reading this article on wired when the attack happened and it said the untold story of the most devastating cyber attack in history. That sounds scary. So could you tell us what happened on that day? Yeah,
Andy Powell 00:05:04 I think the most important thing is never believe what you read in the price thing. I mean, I wasn’t that most of the time I was at well sporting 70 plus at my clients at the time who did get hit by a lot of pet yet. So I have quite a lot of experience in dealing with it. And clearly I’ve, as I came into this six months after the attack, I was able to sort of fully understand through the analysis and forensics that carried out what had happened, but let’s, let’s go back to, and also this destroys some of the misconceptions that came after the, the wide article, which, which actually was incorrect in a number of ways. I think the most thing was that most was very transparent throughout. We, unlike many companies who are hesitant time and even those sense, we were very open both with our clients and customers, but also with our partners, you know, our technology partners in particular, we involved them.
Andy Powell 00:05:57 We are very open with them. And that was an important lesson we’ll come on to, let’s go back to the day in question that that June day in 2017, when I see what’s happened is the attack itself was so six months before it actually happened. And for many who read the press, it was very clear that the, the route of entry was, was well-planned. So if those who don’t know what it was, that’s what it says on the tin. It wasn’t Petia. And it was, it was not a ransomware attack, a cyber weapon designed by nation states to cause disruption significant disruption, its target was crane and their aim was to disrupt the premium tax system and government system. And also during the holiday period that was to, to occur in June Ukraine. And that weapon was Lorne fat, very single reason. The weapon itself loose like a ransomware.
Andy Powell 00:06:48 We to see it was, it was not an ad. It was the way they used. It was a piece of software meetups, which was the Ukrainian tax software. And this is a lesson for all of us, by the way, for all of us to use tax software, to send out tax returns, it was worth knowing this is third party software. And for many of your listeners, this is a cemetery lesson that all software can be targeted. And it doesn’t mean you have to go directly into the software that company’s using. You can use third party software and get your malware into that. And then of course, the company who wants to use that software, uploads it into that network through a third party. This is what happened to me, doc software, which, which was, we were using to submit tax returns to the Ukrainian government, like many other, uh, Western national companies.
Andy Powell 00:07:38 That software was basically thought at six months before by the states in question who basically got the malware through an employee, be an individual, basically placed this into a software upgrade. And that software upgrade went in place in June, 2017, uploaded the not yet. And that infected many, many multinational companies, including who were operating in Ukraine and within about seven minutes to an hour, the damage was done globally. So your audience understand how this malware operates and they should stay weapons like this don’t hang around. Once they’re activated, they’re quite, quite, they move very, very quickly and they move, they move quickly, they move across networks. And in this case, there were four elements to the malware weapon, which operates it. And this is by the publicized. A according to those elements were things that maybe could have been started if you’d have the latest software upgrades, the latest patches windows and the windows iOS, but most companies don’t.
Andy Powell 00:08:44 Most companies were operating a version of windows where one behind, most of them are not operating windows 10, which windows 10 would have prevented about 80% of this. But unfortunately the 20% through continued installed because it was aimed at some underlying infrastructure within Microsoft software. And it was that it was exploited by the weapon that allowed the weapons to move so rapidly across people’s networks. So really by way of background, it was, it was not a ransomware looked like ransomware. It asked for a bit clean paid to release the data. But in reality, very little bit coin was ever retrieved or paid on the weapon data, bringing people’s networks down. What it did very, very simply was off escapes, the windows, the Microsoft teams, so that the tables that many people are aware of that operate your system through active directory, DNS service, particular DNS service. That was basically what they got at basically what prevented people’s networks from now or the damage was done case. It took us two to three days to get our active directory capability running. Again, you’re aware of the story, probably many have heard of this. All our online backup was also built out by the way and where, so the weapon itself to take our tolerances to network, it was able to attack our online backups.
Andy Powell 00:10:13 We basically were like many companies boldly reliance on online backup that was taken down and the weapon time did direct to directory notes significantly, which meant that at the time, within a day or two, we thought that’s it. We have no active directory nodes that will be taken out. We have no backups because they’d been taken down. We can’t be stopped. The network is without image on an active directory. It’s was going to be impossible to restart the network. And so basically we were pretty close to saying, that’s it. We can’t go much further. Fortunately for us in Lagos in Nigeria, there’d been a power outage just as the attack occurred of which amended the active directory noted Lagos was not online at the time. So add a complete copy of an active directory note in Lagos. And that puts on the first class seats on the aircraft and probably the most well traveled and well looked after. So that says it arrived in may and it allowed us to replicate yet to directory from it so that we could basically replicate that to all the ID notes that we built. But really this, if I go back one, the damage that had been done was significant talking about, since his thousands service taking down a thousand plus applications were taken down, you know, we had no telephone because all our telephone was IT-based backwards.
Priyanka Raghavan 00:11:44 Uh, so just to reiterate, it’s something like more than some 40,000 endpoints, your telephones were down, um, uh, yeah, thousand plus applications were down while.
Andy Powell 00:11:58 So, so the basic recovery period is in three phases for the first three to four days was building, if you like the central core academy to rebuild the central core of the network through the notes. And then we had to, then if you like replicate that by buying fixed fee or the laptops, we start the network. So we bought most of the laptops in the UK, in India and elsewhere. And we then had to replicate what we had built for and out into the various regions that took us between nine days to two weeks. So that sort of length of time to get our core network and processes back up and running weekend. And we wouldn’t have been able to do that, to be honest, without the help of our partners. That’s fine. So we had ID Amazon main network partner who was superbly again, to help us have Microsoft. He did a great job helping us as well. So we wouldn’t have been able to do it at that time at that scale, without the, of partners. Plus also the patients by customers, just fewer listeners, all our ISO containers. So one of our triply vessels moves 19,024 ISO consents, Toshi.
Andy Powell 00:13:07 We don’t have the computer. We don’t know what’s inside each container. We have no, you have no record. So in many cases, these containers had to be opened so we can know what was inside them to the consignment was for, and that level of manual intervention into processes took most of us because we had to work out where our key loads for the all refrigerated containers. And we had to ensure they were prioritized for our clients. Many of our clients are keen to get there, get that cargo again and listen to your clients, you know, software rules the world, but when the software doesn’t work to revert to manual processes, and that’s very, very painful in this model,
Priyanka Raghavan 00:13:50 Right? Obviously we laugh now, you know, talk about, about this recovery process and what you learned from that. So for example, now this kind of thing that you’re talking about, this notepad, you know, between like the state sponsored attack, I mean, how do companies actually go ahead and, you know, sort of model for that thought, you know, try to take those threads into concentration.
Andy Powell 00:14:12 I think you’ve asked a really great question because there were three, probably three groups of threats that most modern companies face today. The most obvious is prevalence rate. About 80% of our threat comes from organized crime. So organized criminality basically got their hands on some quite advanced cyber weapons and some quiet thoughts, malware. And their intent is to basically steal money. Organized crime is making money from trying to steal or, or provide ransomware to, to try and get sort money from targets and their victims. So most of those weapons are the ones that we plan and to try and prevent, because clearly we’re not about to pay out money to these folks. We don’t. So what we do is we build our protection around that sort of 80% threat. If that makes sense. As I mentioned, there were two others rats that we faced today.
Andy Powell 00:15:08 The other threat I’ve just talked about, it was nation state, which would say weapons are in really in two types. They’re the disruptive type of weapons, which yeah, not panty. It was that that time used by states against their enemies to disrupt their economies or to instruct them. We Merced ourselves, probably wouldn’t be targeted by those as we weren’t, if we were a collateral victim of somebody else’s weapon, if that makes sense, and that can happen any time we have to be on the have to be wary of that. So I’ll explain how we do that in a second. And the third threat is from what we called hacktivists is extinction rebellion and others basically use denial of service type attacks to, to try and bring down companies like burst and others who they believe, you know, causing problems. And so we have to be ready for those level of attacks.
Andy Powell 00:16:00 Those three groups of threats need different treatments. So like many companies, what we do is we design to protect ourselves against the most prevalent threats. And we also build a combination protection or proactive protection and reactive. So to go back to my point, we have offline backup now backup processes, where we can use Excel and other type capabilities to replicate systems that might be disrupted. So if the weapon gets through and some of these nation state weapons could be very, very difficult to stop. And at the time, very few people could have stopped, not petiole and faculty, governments probably would have been able to stop.
Andy Powell 00:16:42 And for companies like us to try and stop, it would be prohibitively expensive and difficult. So we have to design measures to recover much more quickly. So it’s nine days to recover from Patriots, like attack in the future. No, we could do it much, much more quickly, but because we’ve designed that covering as a specialist to do that active measures to stop most of the organized crime attacks, the goodies, those protective measures to try and stop them at the front door. And so that’s how we’ve reacted. We’ve looked at the range of threats and then we built processes around handling that risk.
Priyanka Raghavan 00:17:16 Uh, so there’s also this concept of hoarding called red teaming, uh, that security teams talk about like, you know, so we are predominantly a software engineering audience, but could you tell the audience a little bit about what red teaming is and you know, how conduct repair for these kind of attacks?
Andy Powell 00:17:33 I don’t know the fact that this is, this is a good one for your audience actually, because they have a role to play the red teaming approach. So like most companies will say cyber threat capability within the company, your ability to evaluate threats. And if you like test and self testing is really quite important for many people in the old days used to call it penetration testing, which is where you had teams trying to get in. Uh, you know, I used to run the penetration testing teams, but I also kept Gemini. And the idea of that team was that their aim was to get into a company’s network. Often nine times out of 10, we didn’t need to hack into them. We just send somebody through the front door reception, and they would often find a password written down. And to be honest, why would you spend a lot of money and time trying to hack in, if in fact you could just go and steal somebody’s login credentials.
Andy Powell 00:18:27 And so, you know, that’s, that’s one issue. The second is, you know, the exploitation of vulnerabilities and network and that’s, that’s coming on to the point about red team. There are vulnerabilities in your network that you often don’t believe you could have. A lot of the pauses are what we call back doors for, you know, software programming errors. And then what we would tend to uncover is vulnerabilities often self-created it was just poor software design. You know, many of your audience will be aware of the sorts of sequel type injection attacks. Uh, sequel injection is very simply somebody pulling, designing the field and a form such that can be exploited and it can break down a database very, very loosely. If you don’t put the right limits on that particular form, that’s just poor design. You know, one of the key things is these ratings we hire in often sole job is to go and look for those one’s abilities and try to use algorithms, you know, of supercomputers, to be honest, they’re going to go and look for backdoors.
Andy Powell 00:19:32 That’d be left by software engineers and the guns go and look for poor software design. And the going too expensive we tend to do is use the red teams to try and think laterally as well. They’ll go and look in places that we might not have thought of macros, which I hate by the way, which are used the wrong people, crows to make their jobs easier. But what does a macro represent? It’s a piece of software that’s been designed to automate it, role or task people use them all over the place. It’s sort of link application, link process together. They don’t document. They don’t tell us what they’ve done. They don’t tell us where they are. And so we tend to use our red teams to go in and look for those pieces of software that would be, make life easier, but have not been documented. So again, a bit of a call to the audience, you know, don’t be the one we can stop it being attacked, but the red teams are there to exploiting that, to find ways. So we hired them because they think like attackers, they don’t think vanity is, you’ve got to find what we call white hat, hackers. They’re good people whose sole job it is to come and find holes and gaps
Priyanka Raghavan 00:20:49 In the show. We’ve also talked about things like secure by design and, you know, starting security a little early in the development life cycle. So I’m sure you guys are doing it at mosque, but is there any thoughts you have on, does it make sense to do this early? Is that a way to measure success?
Andy Powell 00:21:08 Yes, there is. And there are a number of ways of doing it. So the one thing I’ve learned in life is there’s no one single solution to a problem. It generally means multiple solutions applied. And it’s the same here. It’s if we, if we just simply software design in itself, the software development life cycle, the old STLC process. When I say old, you were now in the development time cycles that people are using, but we still go conventional SDLC, not critical, much more death processes. Developing those processes are exploitable. Okay. If executed poorly. And so there’s a number of things we provide. It’s probably four layers that you look at today, which I’m sure audience will. Many of them will be experienced with. We’ve created a scheme by design hub where we provide solutions to those four issues. The first is where do I go to get approved code code that I can reuse that I know security checks cleared already, so I don’t have to do himself. So, you know, we create secure code that they can download and reuse how much reuse that we know is secure. That that’s good. And so security eyes, for instance, you know, go into a secure API library and you know, you’ve got an API that’s already been checked and cleared. What that does is it doesn’t replicate.
Andy Powell 00:22:29 So that’s the first solution. The second is what we call patterns in software engineer. The first thing you’re looking for is somebody gave me a patent to operate a good patent, and we will build secure patents for them as well. So they’ll provide those secure patents in the SPD home. The idea is they can go and get those secure patterns and use them to build the code. And those are improved security packs as well, but they can reuse. And then thirdly is testing tools that they can sell test. Okay. What I hate is the phone process stopping and calling in a security person to commit testing for them. Why would we do that? Why don’t we get developers to test around code as they do anyway, alongside the normal tools they use for testing. So that process includes security testing and software dies and cannot practice.
Andy Powell 00:23:19 And that’s the issue for us. The problem is, is as many of your audience for no one, one tool conflicts, all the software, we’ve got, there’s different forms of software that you’ve got to provide testing for like SAP type software testing, API and microservices testing. So more conventional protests, and one of them need different tools. And again, we can provide those tools in the secure by design hub. They can be downloaded and used by the developers is a really good piece. And then the fourth beds is what I called penetration testing. Again, why don’t we have self-conscious contracts that were already in place for the developer just to get in a third party, to do a bit of testing of that code as they go with penetration testing. So that those are backdoors. I talked about, um, develop the modules rather than build the whole thing.
Andy Powell 00:24:08 And then penetration test afterwards, I’d run the penetration testing as we go. And then that way, when you launch to production. So there are four key things that were desperate trying to get in place today. You know, if we can get all that up and running like many companies, it eases the whole process and also security people being the bad people, bad people, the developers see us as the, as the people are going to come along to be the bad person, putting a roadblock in the way I want to be the good person who’s helping ensure there’s no roadblocks.
Priyanka Raghavan 00:24:44 Yeah. That’s well said. Yeah. Cause um, most developers think of security as well as QA, which I think right now know it’s changing and not agile way of working people who are adding impediments to the jobs. So, you know, so that’s a good thing to say. So we did a show on DevSecOps, like back in 2017 and that was like, what are you talking about? Like, you know, trying to incorporate security into the development life cycle. Can you talk us through a little bit about that? You know, your experience at most cows had been not, you know, when previously or organizations house that worked.
Andy Powell 00:25:19 Yeah. It’s but as I mentioned already, probably with companies like Maersk and others, is that we have a legacy landscape to sustain. Many of your listeners will know sitting in most organizations, you will have a range of different types of code, additional mainframe based applications. Some many companies still run them existing sort of multi standards of monolithic builds applications that you’ve just added to over the years, a Gnomon should look away. Then you’ve got your mom dev type evolution feature base, which again is great. And then you’ve got your SAP solutions which come pretty low and then you add modules to it, et cetera. So, you know, just imagine that landscape and then just the IOT issue that you and I talked about. You’ve got little bits of code or the OT system monitoring some of the IOT networks. And again, that is exploitable. So that is a landscape that a company like Maersk and many others sort of face today with that.
Andy Powell 00:26:22 So we have to develop solutions for each of those different groups approach. We sort of official code testing in our monolithic applications. We still do a lot of that. A lot of us in a standard approach, you would see many in many places because you have to, you know, um, neuron experience as well. I’m sure your area is that all the applications need to be, as I said, to be fed and watered. And then of course, you’ve got your death professors, we’ve talked about what we need a place for that, but then you’ve got your challenges of SAP, which of course is quite a complicated core. And then trying to understand how you tested the core facts is it is a challenge. And then finally you’ve got your IOT space is not well-represented. And I give you an example, you know, some of the controllers that we uncovered our windows XP Jordan’s really don’t.
Andy Powell 00:27:15 I don’t even start me on the three.one stuff. You know, we have uncovered sort of software IRS standards that are variable in the OT space. So if you can imagine software base to start your testing from the legacy landscape, and you’ve got to be, you’ve got to be smart, we’ve got to do it in different ways, different areas and see your audience who are sort of growing up in the deaf world. Most companies are not startups with digital development is that main area. A lot of companies like ours have that legacy landscape it’s important that people are trained and prepared to operate in those different areas. So they’re the sorts of lessons and challenges we’re facing today. It’s exciting to be a young developer today coming into that sort of environment, that they would be a different challenge. I think
Priyanka Raghavan 00:28:04 We had an episode a few weeks back on mobile security testing and, uh, that was also, you know, like the kind of different voices that are coming out for, you know, cell phones is also, um, you know, you need to support all of that. So I guess imagine how, how it must be at your company. Obviously now we are in this pandemic and this work from home situation and things like that. And then, um, I was reading this article about Google, where, you know, right now what they do is like they’ve just done away with VPNs for all their employees, just to sort of test the security. It’s a zero trust network. So obviously I need to ask you as a CSO, what’s your views on zero trust network? Would you go the Google way at some point,
Andy Powell 00:28:46 It’s an interesting and interesting joined it and a number of forums. I think it depends a lot on the risk appetite of your company, different companies have different companies have different risk landscape. Are you going to operate that sort of a network? Probably not for a number of reasons. If you’re a government organization, you probably have similar sort of level of risk appetite to have a better risk appetite than others, I think is what determines how you want to operate. Second point is what’s the hostile threat to you who is the likely group marked in their homework. Homeworking has been a really good example. You know, most companies like ourselves have seen a rapid increase in fishy type attacks. The bad folks know work working from home. Therefore people working from home don’t take the same care that you would in your office. It’s pretty standard thing.
Andy Powell 00:29:45 You, you know, how many of you have used your mobile phone, personal applications on your mobile phone to BabyCenter document because you can’t get your network working at home. Certainly saddle Joe, I’ll just send it off off. I will send it off my personal computer before, you know, we’ve just done it. You just moved official documents across a lousy unprotected personal network. So I’m afraid zero trust requires lots of education, training and awareness. So it requires that degree of bake 10 security and an assurance that baked in security is there in the products you’re using for many products to be used are not as safe as people think they are good examples. And until halfway through the pandemic, people didn’t realize just how poor it was using processes that restoring the environment. These are the sorts of things you uncover. You can do zero trust in it.
Andy Powell 00:30:44 If you come to a world where, you know, the elements that you’re using are secure zero trust and trust and trust-based networks are about accepting the fact that somebody offers you something that you know is good. I don’t trust a developer and another company, no offense. So I tested it and yes, there’s the overhead because we’re not trusting each other because we don’t share processes. And yes, do we move? I mean, it’s a great debate. A number of years ago about Linux. So those are the many of your audience from the, and would have gone, Hey, that’s the way ahead. We all shared the code. We did the code together. It made it much more secure than the stuff that’s done at behind closed doors. We made it secure because we all worked on it to make it secure. Absolutely. But then what happened is Linux then got packaged to be soured.
Andy Powell 00:31:40 And what then happens? People creates their bespoke versions of Linux. None of it was then open, visible to others. And the minute you make things open is the minute you’ve lost trust. So long-winded answer to an extant question, but we don’t live in a world that is perfect because we have to put in place checks and balances. And the homeworking has shown that those checks and balances are still needed. You know, so we like many companies operate in a VPN based network. We downloaded endpoint security for our homeworkers. We’ve helped them with their network security in their own homes because we know their wifi security has got to be, has got to be improved. We’ve done all of that because of afraid
Priyanka Raghavan 00:32:26 Because you know, you know, the consequences of something going wrong. So yeah, it’s,
Andy Powell 00:32:31 Must’ve create overhead.
Priyanka Raghavan 00:32:34 Of
Andy Powell 00:32:34 Course can’t make it difficult for uses because most of your audience know the minute you make it difficult to use as what do they do. And next thing you know, they’re using some computer and then parcel documents. It’s using suit because the doctor bad company is pansy. We don’t want that. We’ve got to find ways of embracing the tools they need to want to use, but make sure so that they can use them properly. So it’s very important,
Priyanka Raghavan 00:33:08 You know, it’s, it’s amazing how much we are in sync, because the question I was going to ask you next was in terms of designing, there’s always a play between security and usability, right? If you really make something to secure, essentially this at the point where you can’t even enter the application, then yeah. You know, the application has gone, right? Whatever you’re designing or the success of it is how usable it is. So the question is a little bit long winded in the sense that big, one of the aspects of you’re looking at usability and, you know, looking at statistics of how user behavior is, and then designing your system. Is that something that’s also being done with, of course, security in mind.
Andy Powell 00:33:45 That’s a great question, because I think this is important for your listeners as well, because you know, software engineers have got to think, how do I want this to be used? And when they’re designing what they’re designing that code, their features, that, that product, they’ve got a thing. How do I want this to be used? We sell from the user’s shoes coming in. How do they want to access data? And how do you do today? Can you go on Amazon to buy something? You want them to present you with a bunch of recently purchased products because you might rebuy it. And then you want them to provide you with a list of similar products you might be interested in because you might be interested in them. So there’s a lot of what we call analytics behavior. And you’ve seen it in modern platforms today. They, they jump ahead of you. They use data as a means to provide what you want. And what that’s meant is that user expectations or audience know at very high, they don’t want to have to hunt for stuff.
Andy Powell 00:34:41 So when we design security, we have to think exactly the same way. Multifactor authentication is a good example. If you’re a bank today, most Baxter’s multifactors, they should you’ll do a transaction. You will get a, they’ll send you a dependent message on your phone with a code. That code has to be entered back into your computer, having you logged into the system. So you’ve got multifactor. If they may act process too difficult, you can’t get access to the services. And people will say, I don’t want to use that company. They made it too difficult for me to get here. I’ll go and use somebody who’s much easier. And the problems was the company that doesn’t use multifactors that they’re probably exposed to greater threat and will stuff as a greater risk. So you’ve got to make the multifactor journey in that case, much simple, easy to use.
Andy Powell 00:35:26 Okay. And I get really frustrated because I live in a place with bad mobile coverage. So if they send me my mobile, I may not get the coat. It because my mobile, I was not picking up code. I can’t get into the service, what to allow for that and we’ll design it. So they’ve designed it. So automatic calls my next, my home phone, a landline, which immediately means I know there’s a backup. So you’ve got to design these journeys, these multifactor journeys or the security journey so that you don’t scare people away. And when you scare people away, right? They go with new services, which are poor, that are not as well protected. And that’s what the bad guys are hoping you will do. Then they’re all, I mean, good examples, PayPal, PayPal, but I’m afraid, you know, PayPal is still catching up and the security journey is it’s active as your bank, probably not.
Andy Powell 00:36:17 And people to use these third party payment apps and these third party payment systems, because they’re much easier to see we need to use, but in reality then maybe not as well protected, but we both think about making the user journey through the security piece, much easier. Many of your audience will be saying, why do we use passwords? Because I have to remember a password. I have to write it down. Why don’t we just use biometrics? You know, so I can make that my company make that easier for me. And the answer is good, but, but unfortunately, you know, the technology isn’t quite there yet. Uh, we would learn that way. We’d like to use multifactor. We find metrics. We don’t find ways and means of making that journey much easier because we know that passwords are easily exploitable. It’s 90% of possible it’s are insecure that very poor guys know how to break password change very easily. So both find a better way of doing that, for example, but we have to find a way to do that. It’s easy for the user. So they don’t find a biometric device to put their thumbprint on, or it doesn’t get a bit of grease on it and it doesn’t work and they can’t get into the application. So find ways and means of solving present here.
Priyanka Raghavan 00:37:30 So are you, uh, do you actually employ people, uh, who go and talk to your clients to see how to make a better sort of journey in terms of security? Is that what you do with the companies?
Andy Powell 00:37:41 So I guess because I’m selling cyber solutions to companies, so I wanted to meet, I wanted some selling points, a unique site, and a good example for many of your audiences, I’ll go back to my digital frontier. What is the new frontier of people’s networks, companies, networks. It’s not, it’s not firewalls and network security anymore. It’s identity and access management.
Andy Powell 00:38:08 So we need to go talk to the vendors who are providing solutions and say, how do we make them customer friendly? So how does a customer coming into my website, wanting to access a service and Brooklyn container and get data on that container? How do I make that journey easy? How do I do that? I do the identity and access for them in a seamless way. How do I secure the data TKI and other that they’re sending to me about? How do I ensure that their data in my network is secured and easy to access? Um, how do I walk through that customer journey? We do yes. Use companies to help us do that are lots of third party companies out there who will walk you through the journey of a customer and say possible react. And it’s a bit like rail seedling, but from a client perspective, Using that sorts of methodologies.
Priyanka Raghavan 00:39:04 Okay. I was also curious in terms of nowadays that we talked about analytics, you have a lot of this data that I’m sure you’re collecting, but you use the dot for also, uh, in terms of, you know, studying threats. So is that a specific kind of, do you look at that kind of, uh,
Andy Powell 00:39:19 We use the parties to help us. There are companies out there, um, who provide data, which help us analyze the threats environment and the user environment. Um, clearly the data we use is, is fully cleans through privacy laws and privacy laws, where we use data for the data we often get from third party companies is, is analyzed through third party tools that help us understand, um, patterns of behavior, threat patterns, et cetera. Patterns is capable to see a way in. We live in, you know, you’ve got to look at patterns of behavior, patterns of use. You’ve got to look for changes in those patterns because that often indicator of something that might not quite. Um, so for instance, a customer’s behavior in logging into the network changes that indicates if, if they normally log in in the morning and the afternoon to book containers and check that container moves. And then suddenly you’re seeing a range of longings through the day significantly increased. That that gives you a bit of an indicator that maybe either something’s happened on the client’s side or some of these using the client access to get into the network. And those are the sorts of signs you can look for most. So looking for those sites, I’m usually that’s a behavior, uh, usually teams, because that then helps us, uh, rapidly, uh, proactively then go look for threats.
Priyanka Raghavan 00:40:49 So I guess what you’re talking about is, uh, uh, like you’re looking for these patterns, but are you like having these fancy, like what they show in these Hollywood movies, like a really cool operating center where, you know, you have this many screens where you’re looking at, Hey, that container looks odd behavior. Is that what I mean? What’s that tell us a window into that. To me, that would be interesting.
Andy Powell 00:41:08 I think companies like ourselves are no different to many other companies. We have a triple C as it’s called, which is our ours. We also have global cyber defense center and they are multi screamed when our people are, are in them. They look system remote sort of capability. It’s just been accessed remotely at the moment, but in the same ways, it’s very effective, but yes, in those screens. So the triple C for instance, is monitoring application bakers all the time. They’re looking at how applications are being accessed. They’re looking at how those applications are operating and we’re able to collect a lot of data location, use lot of data and network on how things are operating. And that allows us to create pitches your idea, I out, what are you like? I wish I wish I had the sort of money to create those Hollywood Susan that allows us to have good eyes on lots of those statistics.
Andy Powell 00:42:04 Lots of those use patterns. And my analysts, my tier three and tier two analysts are very smart folks. They can immediately spot something unusual, um, in the collection of those logs. So we do that. Like those students company companies, we collect security logs, and we analyze those logs. Using software allows for patterns in how the people are accessing various applications, look at the logs. And if there’s something wrong, as I mentioned to my analysts, go hold on. That doesn’t look right. And then we focus on what, what might be happening around that or some software. But I just want to say something to your audience capability. Isn’t just software capabilities, people process. If you have people process and a tool that’s capability, and every combination that suite combination software is an element. It’s a tool to help the process, to help people self that capability. Does that make sense? And therefore, when you suffer engineers that design and their code, they need to think people process need to think how it works together. And that’s what we’re looking for all the time. I’m not looking at software, I’m looking at how the software is being used by people to implement processes. And if that doesn’t look right, that gives us an indicator that it’s been exploited by this.
Priyanka Raghavan 00:43:28 So a lot of the recovery, uh, of course, you’ve got your tools. Um, you’ve got good software practices, good design practices as we discussed, but a lot also has to do on process. So, uh, that is also something that has changed a lot in Europe.
Andy Powell 00:43:43 Yeah. And again, um, time process and the operation process. So to look at all those processes. So clearly in the design process, we’ve, we’ve introduced a beacon consistent, which allows us to see, to make sure those processes are being executed during the design phase. That’s not a spine, there’s a cap looking over the shoulder of the defendant, but that’s, that’s there to help with, you know, processes during coding. But we also looking in the sustainment of that software operated, and we look again using beaches as a means to sort of see how those processes are being worked. And it’s important. It’s important on a process. And that process gets long. We know the right processes being followed, we know baskets. So making sure that the process has been followed good, we’ll do that teach to process.
Priyanka Raghavan 00:44:34 So the process and people and technology is what is the key, uh, that’s that’s from your recovery perspective, I guess. So the other thing I wanted to find out was also in terms of, you know, you talked about your pattern rate, the secure pattern that you have that also gets, I guess, improved, uh, based every time, like one of our rope broadcast episodes, we also talked about, you know, machine learning models built for security. And there was this thing that, you know, the machine learning models, they also get tapped. And any thoughts on that? Like, do you have any safeguards for that or have you thought so far ahead
Andy Powell 00:45:11 And knew most of what I’ve been talking about by the way, just to emphasize this is just of, this is a global audience to walk away saying, say most are doing all of these things. Most, most, most of the industry’s doing, oh, I guess I’m repeating two audiences to booth things that we’re seeing and pivoting at the moment to go back to your two extent question. AI is the future. You know, AI for all of us is something we need to embrace. We need to look at AI and, and insecurity. We look at AI from two angles. We look at AI as a way of attacking us. Most of your audience, be aware of both the subverted by to attack and deny capability in the network. And, you know, there’s areas where AI is getting really smart that they’re using AI to do multi password breaking.
Andy Powell 00:46:03 They’re trying to hack passwords using AI. They’re using AI tools today against us, you know, in order to try and attack us. On the other side, we’re using AI tools to defend us. I’ll be honest with you to do many of us. We have to lose that. I can’t take 10 million locks, Scooty logs and manually go through those the box. I have to have software and AI tools to look for patterns and changes and difficulties and that software in that pattern behavior software that AI. So, so, so important on the security side, we’ve seen some great capabilities coming out to the market. You know, Watson has been the IBM Watson has been there while looking at the security patterns that using it in that space. There are many other companies, Microsoft are doing the same with that tooling. So a lot of AI tooling has been developed in the security space.
Andy Powell 00:46:51 What is the one worry I have? That is the point you raised? What would I do if I was a bad guy, I want to attack my network. I’m going to attack the tool that I’m using to defend or synthetic or try and disrupt it. If I can disrupt the AI tool they’re using, I can launch an attack, which might be more successful. Does that make sense? So yes, I’m, I, it goes by a third party software. We’re using tools that we built by us. And if I were a bank guy, I will try and get into those third party supply chains and disrupt. Just going back to the opening question, you asked me about the most attack, the most attack wasn’t onto a piece of immersive software. The most good tap was the ones through third party software that we were forced to use that was provided by another vendor and sustained by another vendor. So we have got to like, all the community has got to get better at third party, software security testing and evaluation, zero trust network, trust software, other people. So we, as a community become a little bit more joined up out of the early days of Linux. We were not going to get to that Nirvana.
Priyanka Raghavan 00:48:00 When I work also, we sort of do that. We do check our third party open source libraries. Hopefully we’ll do that with renewed vigor after this conversation. So I think I’d like to end the show with asking you, I think what you alluded to this, it’s only a matter of time before you get hit by any major company or small startup could get hit by a cyber attack. So if there were three things that you would, uh, give us advice, uh, could you just, you know, three things that, you know, we should keep in mind,
Andy Powell 00:48:34 Uh, that I think every company and we’ve done it and burst, and it’s three simple principles and we build three target operating models around the first principle is risk and understand the risk risks to your network. Where are those risks? Where are those vulnerabilities? Is it comes with visibility. You need visibility. So the first thing is risk alike with visibility. You need to know where stuff is, and then to understand what that risk is. The second piece is you need an operational capability immediately to deal with events that occur proactively and reactive, and you need to build that sort of capability. So a lot of big companies don’t have security operations centers. They don’t have what I call the goalkeeper and what are the three things you need? You know, you need to go keep up. It’s pretty essential. And that’s what security ops center provides. You need that goalkeeper who can operate the processes and ensure things can work if, if they would disrupt it. That’s the second piece that you saw on the surface that you saw as the secure by design those three pieces of risk, operational capability to secure my design, get those three things, correct. In any company in the right balance. And you’re actually in a good place.
Priyanka Raghavan 00:49:52 Okay. That’s great. Thank you so much for this conversation, Landy. Thank you. Yeah, it’s been great learning experience. I think quite different from what the other shows you’ve done. Cause we’ve looked at a case study and I hope the listeners enjoy. So just like to sign off and say, thank you for listening to everybody. This is Priyanka Raghavan for software engineering data.
SE Radio 00:50:15 Thanks for listening to se radio an educational program brought to you by AAA software magazine for more about the podcast, including other episodes, visit our [email protected] to provide you can comment on each episode on the website or reach us on LinkedIn, Facebook, Twitter, or through our slack [email protected]. You can also email [email protected], this and all other episodes of se radio is licensed under creative commons license 2.5. Thanks for listening.
[End of Audio]