US Intelligence Leaks and The New (Old) Insider Threat
4–17–2023 (Monday)
Hello and welcome to Cyber Risk at Deal Speed, your weekly video update on the one big thing in cybersecurity for private equity investors and the management teams of their portfolio companies.
I’m your host, Shay Colson, Managing Partner for Cyber Diligence at Coastal Cyber Risk Advisors, and you can find us online at coastalcyber.io
Today is Monday April 17th, and it’s time to talk about Insider Threats. Let’s dig in.
Intelligence Leaks and The New Insider Threats
The security worlds - both national security and cybersecurity - were dominated by discussion last week of the arrest of an Air National Guardsman in connection to the release of highly sensitive US intelligence on the group-chat platform Discord.
There’s lots that we don’t know and that we will come to know in the weeks and months ahead, but for me this illustrates a challenge that most organizations don’t give enough thought to: insider threats.
Typically, these are thought of and even talked about as “malicious insiders” who are bent on doing damage to the organization, or are conducting corporate or adversarial espionage operations. To be clear, this does happen - there was a great piece in the NYTimes Magazine last month, featured again in a weekend episode of The Daily, detailing how China uses insiders to collect sensitive intelligence.
But this wasn’t that.
This was a kid - 21, though even younger when the leaks started - who was providing them in an effort to build social relationships with others during a global pandemic.
There doesn’t appear to be any malice or even any financial gain from this - it’s just online posturing and the type of things that happen in chat rooms across the internet every day.
So it’s not the malicious insider that really is the threat, it’s the complicit insider that clicks a phishing link, or the person who sees something and doesn’t say something, or the person who repurposes sensitive organizational data outside for whatever purpose.
And while there are certainly lots and lots of technical controls that we could talk about implementing to help prevent, detect, and respond to these threats, I think it’s worth zooming out and thinking more structurally about how we can limit this risk at a fundamental level amongst our portfolio companies.
First and foremost, we need to think very intentionally about our data collection and data retention policies.
In general, if a piece of sensitive data isn’t helping us make money, it’s really only adding risk, cost, and complexity to your business.
We should get in the regular habit of expunging data that we don’t need for a regulatory, compliance, or legitimate business reason. You can’t lose what you don’t have.
Beyond that, we should think about other structures that can help us handle this data appropriately, namely the concepts of Segmentation & Least Privilege.
By tightly controlling where this data lives, and who has access to it, we can reduce the scope of where we need to apply these technical controls (which, even today, remain expensive and complex to deploy).
Fully recognizing that people will need access to this data, of course, these thoughtful constructs can help reduce the blast radius of things if they go bad.
Finally, we should be intentional and thoughtful about our Logging & Monitoring, Auditing & Alerting capabilities. Ideally, these capabilities can help identify anomalous activity early - and even take automated steps to prevent or flag it - it can also serve the business in the case that we need to investigate an incident after the fact.
It means we’re going to need to be able to audit at the data level, at the edge of your network, at the points where users log in, and at the endpoints they use to access these resources.
Are you able to see what’s going on in your enterprise? If not, perhaps it’s time to consider a re-think. This pays dividends not just in combatting the insider threat, but building resilience more generally.
Much of this can be accomplished without adding additional budget, or incorporated into the already planned upgrades and refreshes from and IT and networking perspective.
Western Digital Follow-Up
We mentioned last week that Western Digital was having a “network security incident” that impact availability of their cloud backups.
Now we know more - with hackers claiming to have “control over Western Digital’s code-signing certificate, private phone numbers belonging to company executives, stolen SAP Backoffice data, and even managed to gain administrator access to Western Digital’s Microsoft Azure instance.”
“TechCrunch reports that the hackers are trying to negotiate a ransom payment of a “minimum 8 figures” to not publish the stolen data. Western Digital declined to comment on the situation.”
One of the things about ignoring, denying, or otherwise obfuscating these events is that the threat actors are quite adept at letting the world know that they’ve breached an organization, and it’s built into their business model.
We are clearly still working out norms for handling these issues, but it doesn’t seem like Western Digital is exactly following the best practices here. We’ll check back in next week and see what’s new.
Fundraising
Massive week from a fundraising perspective, with more than $55B in newly committed capital.
Much of this is due to a huge $30B real estate fund raised by Blackstone, but there were also some other massive raises, including HPS Investment Partners putting up $17B for it’s fifth flagship junior credit fund - more than we saw raised all last week, by a few billion dollars - and Lux Capital - a VC firm - throwing in $1.15B for it’s eight fund.
Discussions from Axios this morning call for a “hero” to lead the new IPO wave - a large tech company who can raise at least $100M and demonstrate to the rest of the herd that it’s a viable path forward. With high burn rates, increasing cost of capital, and growing LP resistance to the model, VC does appear to be looking for someone to lead the charge.
At the same time, PitchBook notes that exit count and value declined for the third-straight quarter, and that corporations (as opposed to other PE investors) made up nearly 70% of all buyers of PE assets.
You can find all the links to the stories we covered below, find back issues of these videos and the written transcripts at cyberriskatdealspeed.com, and we’ll see you next Monday for another edition of Cyber Risk at Deal Speed.
Links
https://www.nytimes.com/2023/04/16/podcasts/the-daily/china-america-spying.html
https://www.theverge.com/2023/4/14/23683081/western-digital-hack-data-hostage-report
https://www.axios.com/newsletters/axios-pro-rata-6fbffa72-f60e-4330-98f7-b769fa7c0989.html