On Diversity of Defense & Defense in Depth
9–23–2024 (Monday)
Hello and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for growth stage companies, investors, and management teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, September 23, 2024.
There’s been a lot of news and discussion in the last week that’s cyber-adjacent - including exploding pagers and handheld radios - and while there’s some good and necessary discussion there, those topics aren’t particularly relevant to this audience.
Instead, I want to talk again about software quality and how the lack of quality in software could or should drive our security programs.
No Quality? No Problem. On Diversity of Defense and Defense in Depth
In keeping with their theme of being very busy, the US Department of Justice last week announced a “Court-Authorized Operation” by the FBI to disrupt a “Worldwide Botnet Used by People’s Republic of China State-Sponsored Hackers.”
The announcement notes that:
The Justice Department today announced a court-authorized law enforcement operation that disrupted a botnet consisting of more than 200,000 consumer devices in the United States and worldwide. As described in court documents unsealed in the Western District of Pennsylvania, the botnet devices were infected by People’s Republic of China (PRC) state-sponsored hackers working for Integrity Technology Group, a company based in Beijing, and known to the private sector as “Flax Typhoon.”
Now, why is this important to us?
Other than the obvious - that our companies may have been the ultimate targets of these espionage efforts, or that technology used by our companies may have unwittingly participated in the botnet - the larger picture comes from how these attacks were carried out.
There are two key elements:
Leveraging existing infrastructure to disguise malicious traffic as legitimate; and
Leveraging what Politico called “an astounding array of vulnerabilities — about two dozen different exploits targeting various IoT and router devices” to carry out these attacks.
Combined, these attacks are known as “Living Off the Land” - or LotL/ LoL - and make it very hard to detect and defend against.
At the same time - and likely not coincidentally - in a keynote address at Mandiant’s (a Google company) event on the same day, CISA Director Jen Easterly characterized the core problem as “Technology vendors are the characters who are building problems" into their products, which then "open the doors for villains to attack their victims.”
She went on to say that calling security holes "software vulnerabilities" is too lenient, and the phrase "really diffuses responsibility. We should call them 'product defects.’”
She also noted that instead of automatically blaming victims for failing to patch their products quickly enough, "why don't we ask: Why does software require so many urgent patches? The truth is: We need to demand more of technology vendors."
But for those of us here in the SME space - or lower middle market - are we really going to be able to pull economic levers of the scale that the US Government or large global enterprises can?
No, and frankly, we don’t have the bandwidth to do that.
But we do need to be aware of this risk, and manage it within our own infrastructures. And that’s hard, because the threats are ever evolving, and don’t have the capacity or capability to do the type of deep technical analysis that would uncover these vulnerabilities (much less fix them).
Instead, our strategy needs to be one that is at the core of traditional information security theory: Diversity of Defense and Defense in Depth.
We need to pair these concepts - of not having single points of failure, of not relying on any single given security control or security technology to provide protection - in combination with the deep knowledge of our businesses to build a resilient operation where activity beyond the baseline can be detected and hopefully remediated before it becomes a larger issue.
While this may seem like a reach - or even a pipe dream - for some of us, I think there’s real business value in this sort of self-reflection and program development.
This is the work that transforms cyber security efforts from playing defense to playing offense, from value preservation to value creation, and gives us something that can truly help support business growth and increase valuation at our next transaction.
Building a program that is thoughtful, covers the basics well, is both defensible and demonstrable - including areas where the business has accepted given risks - is what we should be striving for at our levels.
We can let CISA and the Google’s of the world continue to fight Chinese hackers. Our job is to fight complacency, and do so in way that gives us a fighting chance in this uphill battle.
Fundraising
From a fundraising perspective, another solid week with more than $13B in newly committed capital, led by a couple of large raises, including: Kohlberg & Co.’s $4.3b for its 10th midmarket PE fund; Silver Point Capital’s $4.6b for its latest opportunistic private credit fund; and ICG’s $1.9b for its third North American private credit fund.
Couple all that with the Fed cutting rates more than anticipated, and we may be set up for quite an active Q4 - despite election concerns. Or not - I can’t see the future. But these do seem like good signs as we close out the quarter.
With that, a reminder that you can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.