World of Balgan

Transforming Information Security: The Emerging Role of Cyber Insurance

2024-02-29T22:00:00+00:00

The issues plaguing the information security industry.

In the realm of information security, an industry fraught with unique challenges, we stand on the brink of a transformative era. Traditionally, the sector has grappled with quantifying the financial value of security measures, a task often demanded by corporate boards. Information security departments, viewed as cost centers, have struggled to secure adequate resources and budgetary allocations, despite their crucial role in safeguarding organizational assets against cyber threats.

A particularly pressing issue has been the handling of vulnerabilities by companies. Instances abound where security researchers, acting in good faith, uncover and report critical flaws, only to be met with disregard or, alarmingly, legal threats. This lack of cooperation and acknowledgment not only hampers collective security efforts but also leaves organizations vulnerable to cybercriminals exploiting these very weaknesses, as highlighted in a recent TechCrunch article.

At BinaryEdge, we dedicated countless hours to notifying companies of potential security breaches, without any ulterior motive for financial gain or service promotion. Yet, our experiences have often been disheartening, with many companies choosing to ignore our warnings or, worse, responding with threats of legal action.

The information security industry also contends with its dependency on vendors who supply security solutions. Historically, the efficacy and accountability of these (“blinky light”)[https://www.darkreading.com/cyber-risk/insurers-claims-data-recommend-cybersecurity-technologies] technologies have been questionable, with purchasing decisions frequently driven by industry benchmarks rather than proven effectiveness. The recent trend of exploiting vulnerabilities in security appliances underscores the urgent need for vendors to prioritize the security of their products.

The Advent of Cyber Insurance

The introduction of cyber insurance marks a pivotal shift in the landscape. To incite meaningful change among powerful corporations, a significant portion of their client base must demand accountability. Cyber insurers, with their expanding portfolios, are uniquely positioned to influence this dynamic. Their financial stakes in the security of their policyholders naturally align with the promotion of sound security practices.

Cyber insurers have the leverage to influence technology procurement decisions, guiding policyholders towards secure solutions and penalizing poor vendor choices through policy adjustments. This dynamic not only fosters a more discerning approach to technology adoption but also holds vendors accountable for the security of their products.

Moreover, cyber insurers’ access to incident response and loss data equips them with the ability to correlate security measures with tangible financial outcomes. This data-driven approach to risk management contrasts sharply with the anecdotal and intuition-based methods that have traditionally dominated the industry.

The integration of cyber insurance into the information security ecosystem heralds a new era of accountability and effectiveness. By aligning financial incentives with security outcomes, cyber insurers have the potential to catalyze a significant transformation in how companies approach and value information security.

I urge the cyber insurance sector to transcend the narrow perspective of merely selling policies. Together, we have the power to reform an entire industry and guide our clients towards investing in technology that genuinely delivers results. Let’s adopt a more visionary and courageous approach.

AI Revolution and how to leverage it

2023-04-10T22:00:00+00:00

We’re 6 months out from what will forever be considered the kick off of the Artificial Intelligence revolution, the launch of chatGPT by OpenAI. ChatGPT not only works (and worked) extremely well when it was launched, but the clean design and interface it was wrapped in made it so that it is incredibly easy to use.

If you’re feeling overwhelmed with all the releases coming out in AI, don’t worry, you’re not alone. Even those of us that are heads down, reading and building are finding it hard to catch up with everything coming out.

At same time if your research team in your organization isn’t actively working on how to embed these technologies into your organization business workflow, you will struggle to keep up with the pace of organizations that end up leveraging these tools. It’s not about firing people or someone losing their job, it’s about making all your people 10x engineers/accountants/designers/writers/ without the need to overhire. Can we get to 10x revenue faster with less cost?

From audio,image and video generative models, chat/text models (LLMs - Large Language Models) to now the wave of agents being created, there is a lot going on.

This blogpost will walk through some of these technologies and how to leverage it in your day to day. AI will make some jobs obsolete, but will also allow people that leverage it to become 10x workers and will create new jobs that we can’t even imagine right now (how many of you would have said prompt engineer was a job 1/2 years ago?).

LLM - Large Language Models

You can think of an LLM as a parrot with a lot of memory, because that is exactly what these models are. They get trained on large amounts of text data (books, articles, papers, websites, etc…) and then use that knowledge to help answer questions, provide suggestions, create content, have a conversation.

It’s easy to fall under the illusion that these models appear to have “conscience” or that they are “alive”. But the reality is that these models are choosing word over word which has the highest probability to show up after the previous. Reasoning is something that is being improved on the models, a great example of the difference between GPT 3.5 and GPT 4.0 can be seen underneath.

A question posed to GPT 3.5 vs GPT 4

The models also have cut off dates on the knowledge they were trained on. ChatGPT will tell you as much if you ask!

So does that mean you can’t use it for modern events? or for your own data?

Think again! In comes LangChain 🦜️🔗

LangChain is a framework that allows integration with multiple LLMs to develop applications with LLMs. LangChain allows you to easily create embeddings based on your content, to create agents or chains (sequences of calls) between LLMs and other tools. But to understand this we must first understand what is an embedding?

Embeddings are numerical representations of words, phrases or other language elements. In a simplistic way you can think of them in a similar way to how when we write code, the compiler translates it to machine-code so that machines can understand it. This is the equivalent to machine learning models needing to understand language. This essentially allows us to convert unstructured data into a structured form.

But how does this relate to LangChain and all the discussion above? Let’s dive into an example!

As a first example, we ask GPT-4 to tell us about the latest 10K form (for the year 2022). As we know from our discussion above, chatGPT has a cutoff date of September 2021, so the response is what we expect:

We know we can download the latest 10K form for Tesla from the SEC website.

We download the content of the page into a tile called tsla-2023-10k.txt, now lets write some code.

What the following code does is grab the content of the tsla-2023-10k.txt file, send it to openAI in chunks to generate the embeddings and then stores it in Pinecone (a vector database which is fancy talk for a database specialized for storing embeddings).

It then asks chat GPT a query (“Tell me about Teslas latest 10k from a financial performance perspective”) by looking at our Pinecone index for similar content related to our question and only passing similar content to openAI, essentially imagine copy pasting parts of the 10K form into chat GPT and saying “based on the content above tell me about this 10K form”.

With the output looking like this:

And this is how you can have your own documentation/content being used by chatGPT to answer your questions as a simple example.

Agents

Another great functionality of LangChain are Agents. Agents are essentially the use of LLMs to make decisions, take actions, observing the result of said action and continue until the original task that was given to them is concluded. This is an area that is growing fast, Yohei Nakajima, published in March an open source framework called “Baby AGI” (AGI stands for Artificial General Intelligence) which uses agents to complete a task. I grabbed his framework and modified the agents to use LangChain and gave it access to three tools, Google, python REPL and bash.

I then gave it an objective and first task:

Objective: behave as a cyber insurance underwriter and find which possible issues might lead to a cyber insurance claim.

First task: Learn about cyber insurance coverages and then by using available tools discover which issues might exist with www.linkedin.com

The results were interesting to observe, as the agent only ran for about 2 minutes and all of a sudden it knew it needed nmap to identify issues, and started using nmap to identify open ports. Although clearly still in an early phase, one can easily see where this techology will go in the next few months /years.

Using @yoheinakajima framework as a foundation, I then transformed the agents into @LangChainAI agents and gave them access to google search, python and bash, and told it to become a cyber underwriter. Pretty cool to see what it does with just a few minutes running... #infosec pic.twitter.com/Hk5QA33PeS
— Tiago Henriques (@Balgan) April 4, 2023

If you’re a founder, working on a marketplace for agents and tools for different frameworks is a great opportunity! At some point soon, we will have something similar to Zapier for AI agents.

Google and Stanford recently put out a paper where they allowed 25 agents to interact in a simulated world while giving them memory and allowing them to recall, communicate, observe and reflect, the results are astounding.

They observed emergent social behaviors such as information diffusion where one agent announced they were planning a Valentine’s day party and other agents started spreading that information during conversations.

Much like the real world, a number of agents skipped the party because they had other plans and others just didn’t show. They recall information about each other as one agent meets another in the park and tells him she is working on a photography project, later when they meet again he asks her about the project.

The agents built life patterns. In the morning, John Lin always follows his morning routing of getting up, brushing his teeth, taking a shower, eating breakfast and talking to his son and wife.

What if we creates simulated scenarios related to jobs or something we wanted these agents to become really good at? What would we learn or observe?

Maybe Westworld isn’t that far away….

Not just text!

AI techniques and technologies are evolving at an extremely fast pace. From image and sound generation, many industries are about to be disrupted. Another writing on the wall is how we will see scams increase overtime due to the existence of these tools.

From voice cloning to deep fakes, these technologies are improving in quality while decreasing the entry barrier for scammers. I was on NBC talking about this just a few weeks ago as seen in the following clip:

In less than 30 minutes I was able to pull some clips from the journalist Emilie Ikeda from youtube, we then called one of her colleagues and got her to give us her corporate credit card (none of it was staged, we actually had a first attempt that failed), and while it wasn’t perfect either, it worked, and will only get better from here.

Dear insurance industry, it’s time to have a chat.

2023-01-08T22:00:00+00:00

On boxing day, Financial Times released an article where Mario Greco, the Zurich Insurance CEO stated “What will become uninsurable is going to be cyber,” and “What if someone takes control of vital parts of our infrastructure, the consequences of that?” .

This of course lead to groups of people from both sides of the “insurable/non-insurable” argument to come out with their own spins and comments on the words of Greco.

For a while I’ve been observing the different parties that play a role in cyber insurance and seeing posts and comments from all sides that are just incorrect or misinformed. I decided to write this post as an attempt to have an honest talk about cyber insurance as an industry, and fixing some of the narrative that is currently on-going, for us to move on and build a better industry for all parties involved.

Our main parties for this blogpost are: Policyholders, Brokers, Insurance providers (insurance/mga), Re-insurance companies, Information Security organizations and professionals.

Policyholders

While the most important player (as they are the customer, and the customer should almost always be the most important), they are also the one with the easiest problem to solve, because their desire is “How can I get my premium to a more acceptable level?” so, here is your cheatsheet, to get a more cost effective cyber insurance coverage:

1 - Take your remote management (and critical or typically vulnerable) services off from being directly exposed to the internet. That means your RDP, SMB, Hypervisors… etc. Put all of that behind a VPN or SASE solution. If we see it, attackers see it. We don’t want to see it.

2 - Take your web login forms for managed appliances, systems and administrator panels off the internet. That means your wordpress login, firewall login page, PHPMyadmin and CPanel. Put all of it behind a VPN/SASE or SSO type of solution. We don’t want to see it.

3 - MFA - Enforce MFA everywhere. Read my words again, enforce, not just enable, not enforce on some, enforce it everywhere. Make it so that it’s not push notification for some extra points.

4 - Backups - Daily/Weekly backups, with monthly (or at least quarterly) restoration tests. Backups must be offline (separate from your day to day operations) and encrypted.

5 - Move away from on-prem Exchange. O365, Gmail enterprise, but no on-prem Exchange. It’s incredibly hard (some would argue impossible) to maintain a secure Exchange installation these days. It will get hammered even further in 2023.

These for steps will usually get your to a good security position and largely should get you a really acceptable coverage/premium balance if you use a modern insurance provider. If you want a few extra brownie points, have a strong control on transfers above a certain threshold to help with those pesky FTF attacks.

Understand what type of policy you have and what it covers. You read in the news often that “cyber insurance claims aren’t being paid” but that is actually false and a misrepresentation by the media. You look at Zürich vs Mondelez, but it wasn’t a cyber insurance policy that they had, it was a property insurance policy. You look at the EMOI Services case, but it wasn’t cyber either. They filed it under their business owner insurance policy.

Demand more from your cyber insurance provider. There are amazing offers out there that can even help you save on your infosec/it budget.

You read about war exclusions, this is actually something all other insurance lines have done. What LLoyds did, was give more detailed definitions, to remove ambiguity about when and where exclusions will apply.

Brokers

Dear Brokers, you are one of the most critical parties. You are an advisor to your customers, a sherpa, a guide, the warden of their coverage.

Do not let your customers take the cheaper path. Because in the medium to long term, it’s a path full of pain. Just because a quote is the cheapest, it doesn’t mean it’s the right quote for your customer. Just because it’s the provider that pays the highest commission, doesn’t mean that extra 1% is going to be the right choice to keep your customer happy.

When a policyholder has a claim, we all suffer, we all lose. You can put a stop to it. When the insurance company is telling you that the customer MUST fix something before we can bind, it’s because we’ve seen hackers use that exact thing to break into companies. It’s not because we want to add extra friction to your business.

So please please please, get the customer to fix that security issues found in scans. It will save everyone a lot of pain.

You are the central party that coordinates everyone, make sure you’re adding the right domains on the application, that you’re giving us the right policyholder contact (for us to notify them of security issues) and overall enable everyone to be their best selves. We all want the same, a happy customer.

Insurance Providers

The days of the PDF are over. Embrace technology, embrace scanning and start building technology, threat intelligence and security teams under your organizations if you want to be succesfull at underwriting cyber.

Buying 3rd party reports won’t work (you’re only getting a snapshot in time, and these companies don’t really know where claims are coming from). A risk might look one way today, and change tomorrow if a new vulnerability is released and you need to be prepared to give guidance on how to mitigate. You need to have that knowledge in-house integrated into your insurance workflow.

While some have criticized outside in scans, the reality is, we see what a hacker sees, so it’s a great place to start. Perfect? no, but a strong foundation. Build it. Understand how to price a risk, impact of a vulnerability and crediting defensive controls. As your teams how they think about the following scenarios:

If the answer is “We look at industry and record count.” well… you have a problem.

Cyber is a line you will have to participate in the future, technology is all around, being a bigger and bigger part of our lives. AI, Cryptocurrencies, AR/VR, Metaverse, some of these might be fads, but they all play an important part in the discourse of our evolution as humanity, you need to understand which role they play and how they affect your coverage.

Move your way of thinking from “prevent the hack”, your policyholders will get hacked. Start asking them how they are going to contain the damage. and how fast they can recover after.

Move your mindset from just Prevention (as there are no silver bullets in cybersecurity) to Prevent, Contain, Restore.

Understand attacker behavior and which vulnerabilities matter.

Re-insurance companies

Cyber is a new type of risk. While a tendency to compare it to other lines or risks you already re-insure might be tempting, it just isn’t the same. You need to have a set of diversified skills just to understand the “cyber” part of the risk. From networking and cloud expertise, cybersecurity (web applications, network enabled services, mobile), to compliance, threat modelling and risk management.

The reality is that cyber is a risk that is very volatile and dynamic in it’s nature (new vulnerabilities being found on a daily basis and new software being built on a daily basis), but it’s one that still relies on humans to be exploited. Meaning that there is a limitation to the number of organizations that are being attacked at any time, and a limitation (based on incentives typically) on the vulnerabilities that will be and can be exploited at any time. I suggest you read on my previous blogpost on aggregation and why you need to be thinking at a more granular level.

You need to have technology experts that understand how the evolutions in technology are affecting your portfolio and also questioning your modelling. AWS isn’t a single blob that can go down for 30 days as some of the scenarios you’re presented by the modelling companies. AWS is a highly evolved cloud system with multi region, multi datacenter, highly redudant that sometimes has specific services and regions that go down.It’s also something so critical to the world, that if, for some un-godly (and physics law breaking) reason it did happen to go down for 30 days, it’s not a cyber insurance problem, it’s a government problem as you would struggle to get money out of your bank, food from the super market and many other bad things would happen (guess who would also live in this world? Attackers. Guess who doesn’t want this to happen to their families and themselves? Attackers.).

Yes the attack surface is expanding (which many use as an argument for cyber being uninsurable), but technology is also evolving and making good and reliable solutions available at more accessible prices for organisations. A few years ago you had no DDoS protection, now you can get Cloudflare for free.

Is there aggregation in cyber? Yes.

Is it as big as it’s currently being modelled ? No.

Your other risks tell you to look to historical events to model future events, but it’s very rare that a risk has a landscape change as cyber does.

Technology has evolved very fast, while a single individual was able with a home connection to DoS a major provider 10 years ago, today it would be a lot harder.

The cloud didn’t used to be multi region, multi data center and highly redudant, but today they are,and they hire the biggest experts in the world across all areas of technology to help keep those services alive and healthy.

EDRs and easier to use back up solutions didn’t use to be a thing. But today they are. MDR services are getting cheaper and more accessible, and organizations are starting to use them to leverage that expertise for security monitoring.

All of these evolutions, need to factor into your modelling, and they will continue to exist and evolve. With the advances in artificial intelligence, how soon until we have reliable AI agents defending networks, our policyholders, and portfolios? (my bet is next 3-5 years, and notice my use of the word reliable).

Be selective to whom you’re giving your re-insurance capacity. If you give it to insurance providers that don’t embrace technology (like scanning, continuous underwriting, pro-active security services and other techniques to help with risk mitigation, selection and reduction) you’re exacerbating the problem.

Have those companies that have access to technology about the insureds, help you get data to model your portfolio more accurately. You will be able to fix your reserving and help the market with capacity.

As you think about exclusions, first understand all of the above, then also ask cybersecurity experts how hard of a problema attribution is. An individual can buy or a hack a server in China/Russia, and then hack from that IP space, how will you distinguish what is war vs what isn’t? One hacking group can emulate and steal techniques from a government backed hacking group, how will we know who is who? Make it so that the organizations you’re covering are enforcing strong baselines on their policyholders, that way we improve security and recovery methods, so that even if one of these groups is successfull, the organization can get back online fast and have small/low impact.

The same applied to critical infrastructure. You have the power to move the needle on the security hygiene of those companies.

Information security organizations and individuals

I leave my favorites for last. I’ve been a part of this industry for a while now and seen different sides to it, from being a student, consultant and company founder, I’ve seen the good and the bad.

Embrace insurance. It’s a tool like any other and it’s in no way shape or form trying to replace security or it’s controls (It actually depends on your success.).

Learn how to talk and argue about risk in $ not CVSS scores. Your CFO doesn’t understand CVSS scores, nor should he. He wants to know how much insurance coverage he should buy to be comfortable with risk, and the brokers can be your friends here and help you out, the insurance providers give them tools to make this easy to explain!

There is going to be some hard times. Just because your company has a tool/technology that solves a problem, it doesn’t mean that problem is something being actively used.

I met with a (very big) security company a while ago that did a type of scanning that finds a specific set of vulnerabilities, and they were telling me about all the things they had discovered and asked me how soon I wanted to partner with them to reduce the amount of claims we were paying. The problem? In 3 years since I have been at Coalition there hasn’t been a single instance of us having a policyholder be compromised by that method.

While the security vulnerabilities were real, attackers simply don’t care, because they have other, simpler ways to get in.

Does that mean that in the future we won’t see this? No, but at least for now it’s not a priority problem for us, and if it isn’t for us, should it be for the companies trying to prioritize what they should fix when they have restricted budgets and limited security staff?

The insurance industry is going to play a critical part in your life. Take the time to understand it instead of just eating up what the media spouts. If you’re a startup, there are incredible opportunities for you to partner up with insurance companies, they need technical knowledge which you have, and you need exposure to companies security problems at large scale which they have.

Conclusion

Cyber is insurable. But we have a lot of work ahead of us.

Gaming and Reverse Engineering a product engineer make

2022-12-12T22:00:00+00:00

This week I read an interesting article about “Product Engineering”. I’ve often found myself as both a product leader but also the engineering lead, and absolutely feel like I couldn’t do one without the other.

Engineering and Product - Yin and Yang

For most of my entire academic training and even professional career I have always been an engineer, I have an undergrad in Software engineering, have coded most of my life and always made sure I kept up with latest technologies. However when I started my own company, I felt like something was missing, understanding our users, how they thought, their pain and needs, was something we needed and didn’t have.

So I started focusing on growing my product brain, and shifting how I as an engineer thought about things (very detailed and with all the going deep into lines of code and what techologies to use) to a higher level vision, where I thought about roadmaps, how the different feedback I was hearing from customers translated into features and how they all connected with each other.

While doing this shift, I found myself using 2 skills from my life: Gaming and Reverse Engineering.

As I looked at a product and features, I immediately formed in my head the product tech tree.

If you’ve ever played Civilization, you will recognize the following image:

I’ve since used this same method to think about products and features that I want my teams to develop. Some typical questions I ask myself is:

What dependencies do I need to deliver a feature or product?
Can I generate revenue from those smaller dependencies? (meaning that I don’t have to wait for the final feature to be developed to have it make generate revenue.)

However my version of the tech tree, also creates a central trunk, you can think of this as the features or products that fall within the core of your business. As features mature and time passes the central trunk expands, allowing you to also expand into other areas, lets take a look at an example.

When I initially built BinaryEdge, I knew I wanted to get the product to a point where organizations didn’t have to search our raw data, the reality is that without having technical staff that understands scanning data it is hard for organisations to use the raw data, in my head they could just type their company name and from there the system would find the domains, sub-domains and ip addresses (these types of products are now known as Attack Surface Management platforms).

Our core branch is represented in green here.

Ok now that I had a platform where I could type the name of an organization and the system would generate a security report and monitor the assets of that organization, 2 other branches unlocked for us as a business. We can also see our main branch expanding (our core business).

Now we need to figure out time and features needed for expansion into these new branches, and this is where reverse engineering comes in, because u need to figure out these needs, months if not years before the need appears (as there is also a need on the business side to investigate if the market and return is worth it). Reverse engineering is the process of observing how something works and starting to drill into how it works or how it was built. This process typically involves investigation, a lot of reading and talking to customers.

These diagrams are the very high level version of how the real version looks like. I usually have 1 or 2 pages worth of notes per feature, on why we should do it, other competitors that do it well, or potential revenue they might generate.

The reverse engineering part becomes specially useful as we think about moon shots. These are projects that are far/further out from your core branch and in the future. Imagine starting at the “Raw internet scanning” square and in the opposite corner having “cyberinsurance” and having to write how to get from point A to point B.

Because I have the engineering background I can also drill into the technicalities of how much work and what type of work would be needed for these features to be delivered and how they connect with each other to deliver a final product planned/thought experience.

Now, I can hear you snickering in the background if you’re a product manager “this is easy planning”, my answer to you would be “Ok, lets see you correctly plan the order, technical needs and timining needed to get these features built”. If you’re an engineer you’re saying “Well, this is basic planning, I can easily write the spec the API or plan the data schema” to that I answer “Sure and I bet you’ll end up with a feature that your customer neither needs or wants”.

The concept of product engineering led me to write this as I always knew the skills I had, but never a way to name them. Now I do.

A guide to R&D

2022-08-14T22:00:00+00:00

A little over a month ago, I announced that I had switched positions at my current employer.

With our new funding round announcement, I am also taking a new position at Coalition as Head of R&D. I'm grateful that I got to run+grow the @binaryedgeio teams these years, I now shift my focus to build an even larger moat for @SolveCyberRisk when it comes to risk selection.
— Tiago Henriques (@Balgan) July 8, 2022

I had already been running the research team at Coalition for a while, however on top of that I was running Security engineering operations (my old startup BinaryEdge, Coalition Control, Security analysts, etc…), which in itself is easily a fulltime job. So with us having found someone fantastic to run the SecEng ops, I’m now moving to focus full-time on R&D.

This post is a write up on how I think about R&D, the team and approaches that my teams will take.

The job…

Often when thinking about R&D teams, people immediately think about them building amazing technology. However, the research starts months if not years before we get to that point!

It all starts with customers!

Having been certified in the school of design thinking from IDEO, I’ve long been taught customer is king and should be your main focus.

So what is the job of a researcher? If I had to break it down, I believe it looks something like this:

(this process doesn’t have one direction and is very agile-ish in that you can iterate through multiple phases ie: reading <-> thinking <-> reading <-> documenting)

What do these different phases mean?

Observing - A researcher, like any other person that builds or wants to solve a problem, has an end customer. It can be internal or external, technical or non-technical among many other types (defining personas is part of a nice team exercise, a blogpost for another day). The way to understanding the problems you’re solving and finding new problems to solve, is to observe these users. Ask them to let you observe them while they work, or while they go on their day to day and document everything that you observe. The richer the documentation the better. For example, I’ve done exercises where we would record video of full days of work or following our customers as post-analysis of those videos allowed me extra insight that I couldn’t get immediately at observation time. However notes or voice recordings of your comments also work (hint: otther.ai provides a free service that transcribes your notes for free)!

Reading - A big part of being a researcher is knowing you don’t know everything and being open to learn new things. It’s important to keep up with what is happening in the world of research. Make sure you’re taking the time to look at Arxiv or journals to see the latest papers published. Diagonally read through many, filter down some to read in detail (specially those in areas of interest of you or your colleagues).

A great combo here is:

Step 1 - Go to Open Knowledge Maps and type the topic you’re researching. This will give you a view like the following image, which looks for adjacent topics to yours and associated papers

Step 2 - Select some papers you like, grab their Arxiv link for example https://arxiv.org/abs/2102.05568
Step 3 - Go to https://inciteful.xyz/ - Type the link there and find similar papers

Thinking - You’re being paid to solve problems. But if the problems were easy to solve, someone else would have done so already. Take this time and really think about the observations you’ve made, formulate potential experiments and also try different thought models. Think about the second and third order impacts of some of the decisiosn you’re making when devising potential solutions.

My recommendation here is Miro. Miro is a fantastic tool, I am a heavy user and do a ton of visualizations, diagrams and workflows in Miro for some of the work that I am doing. (You can even see a diagram from this blogpost there!)

Executing - This is where you BUILD. Building can come in different forms. It can be writing code for an analysis, building a machine learning model, building a PoC or a Prototype (they are not the same.)

The execution on R&D teams tends to be very different from engineering teams, where you want to develop good maintainable, readable code and with tests. R&D is about failing fast, failing cheap, and recovering even faster. So we don’t typically get enamored with our code or even with the first 1-2-3 iterations of the solutions we find. It’s about speed and cutting down on the different experiments you’re trying out to filter down to an acceptable amount of final solutions.

Documenting - Writing things down should come natural to you; if you’re doing it along the other phases this phase should actually be more about “cleaning up” and organizing your documentation rather than actually doing full write ups. Your team should have some templates for projects that you can use and those should set expectations on the documentation needed per project.

My current recommendation here is Notion. I’ve tried a few others, but the flexibility of Notion, allowing sharing and publishing and being markdown based, make it my favorite tool.

This phase also becomes important as you think about handover. Typically an R&D team will find a solution for a problem that works and that is scalable, and then deliver it to an engineering team for final implementation and operations. Having clear documentation on how something works, how and why it was built will be insanely important.

Teaching - You will make mistakes, you will have successes, you will find novel research and problems. It’s extremely important that you hand over all these learnings to the rest of your team. Make sure you’re spending time demo-ing the stuff you’re building, sharing that cool paper that you just read/found, letting other people in the team know about that cool python function you just built and that they can re-use. Also, go learn from others.

Team

A team should have a diverse set of skills and methods of thinking. I wouldn’t want to create an R&D team where everyone has the same skillset (eg: software engineers) and same way of thinking (eg: machine learning models > rules engines). Different problems require different solutions, and different solutions require different schools of thought.

You will then also want to look to the background of the people you’re hiring and bring people that went to different colleges, have different backgrounds, while at the same time there is a small set of skills that they must all have in common: creativity (obvious), perseverance (the problems you’re solving shouldn’t be easy or there would be no need for an R&D team) and passion about the problems they are working on.

When defining my team, I looked to the type of problems I at least knew we were going to see and solve on a daily basis on the job, and from that I pivoted to sets of keywords that are adjacent to the area of the initial problem (eg: Insurance risk -> automation, big data, actuarial knowledge, data science, machine learning). These word clouds then define the different skills sets and weights that I need from the people in my team.

Thinking about which projects to tackle

Companies that get to the point of wanting an R&D team usually have a substantial amount of problems that can be tackled and, much like engineering work, the number of researchers to work on them is usually “not enough”.

To decide which my teams tackle and prioritize them, any problem that is discovered is placed in a quadrant that looks a little something like this, which can also then be to give status updates to stakeholders:

In this quadrant I present the Risk and Reward of the different projects but also the “state” of each milestone, in a clear and easy way.

One other interesting piece about placing them in a quadrant like this is that there is typically a correlation of higher risk/reward with project complexity and, depending on availability of your team members, it becomes easier to allocate the work (for example, you might only have new joiners or less experienced members available that can only tackle specific projects, vs more senior and experienced that can attack more complex projects).

Conclusion

R&D teams tend do operate at a different speed from engineering teams, however the demand in documentation and clarity from them should also be extremely high, I believe R&D teams can learn a lot from Sr PMs by observing how they write requirements for engineering teams, to understand what type of documentation they should be producing on the projects they are working on.

An R&D team can’t always be working on moonshot projects, there are sometimes some smaller short term (in R&D terms thats 6 months to 1 year), that can and should be tackled, and this mostly has to do with time. Often due to lack of resources engineering teams aren’t offered the benefit of researching and being able to test different solutions to problems, so the R&D team being an extension to help engineering teams by tackling that is a positive.

Log4J isn’t the aggregation catastrophe because aggregation isn’t a force graph, it’s a sankey!

2021-12-27T22:00:00+00:00

By now everyone has heard of Log4J but if you haven’t here is a tl;dr.

Log4J and CVE-2021-44228

Log4J is an open source java logging library that is widely used by many platforms (VMware, Elasticsearch, Struts, Druid,Flume, Hadoop) and many companies (Apple, Tesla, AWS, Cloudflare) that had a vulnerability discovered in November 2021 (CVE-2021-44228) that was going to bring us the end of cyber-times, except, it didn’t.

Aggregation

What is Risk Aggregation? Aggregation is an insurance mechanism where an insurer minimises exposure to numeros claims related all to the same risk by looking at shared assets/facts between the different policyholders on their book.

As an example, think about Hosting providers, when parts of AWS go down (as they have multiple times in the last 30 days) all companies that use that AWS region potentially have some type of business interruption due to that incident that could potentially be covered by their policy. So as an insurance provider, you want to make sure your book has a healthy distribution across other providers like GCP or Azure.

Combining the two…

So how does log4j and aggregation come together?

If you read any article about Log4J you will see titles such as “CYBER PANDEMIC - Log4J Catastrophe”, the reason for this is because of the potential attack surface for Log4J.

Let’s take a look at the vendors and products that use Log4J (we can do this by pulling the updated data from the NCSC github repository and plotting a force graph that shows the connections for those vendors and products).

Looking at the data from this perspective it shows how widely used Log4J really is, and if all you’re using is this measure it’s easy to see why the industry as a whole had a ~~mild~~ panic attack.

However we have data that can help us understand the situation better and give a better perspective than “the end of times are coming for cyber” as many vendors did, including to some of our partners with whom I spent time on the phone over the last few weeks, because you see, the devil is in the details….

I’ve seen multiple presentations about aggregation and a lot of them use force graphs to represent aggregations, hell, I’ve done it myself in my post on COVID supply chain cyber analysis.

“Why does how you visualize it matter Tiago?”, I hear you ask. It matters because visualizing it as a force graph gives you an idea of the relationship/dependency which is what part of what aggregation is about BUT it doesn’t paint a realistic picture of how the world works, as it shows all assets as homogeneous and they are not, as we will see in the next sections.

Come on in sankeys!

It’s widely known that Microsoft Windows suffers from ransomware a lot more than other operating systems like Linux or OSX. So does that mean that Windows should be taken as a whole when thinking about aggregation scenarios for ransomware? Absolutely not. There are two reasons which make it extremely important to look one or two levels deeper if we’re trying to get an accurate calculation of potential aggregation scenarios

Reason 1: Assets ain’t all the same!

For the lat 7 years my job has been scanning the entire IPv4 space and parts of V6 to understand what gets exposed to the internet. To look at Windows versions, I grabbed our worldwide scans for SMB as our module for scanning SMB has Operating system identification.

On our SMB scans where we were able to extract the OS version, we found a total of 1,184,706 machines on the internet.

Now if we only think about the attack surface a vulnerability has based on the high level target (aka only “Windows”), this is a HUGE number. However lets take a look at a vulnerability announcement details, lets pick Bluekeep, which is a vulnerability widely known to have been really bad for Windows.

Source: CISA

We can see that not all versions of Windows are vulnerable. CISA details which versions are vulnerable, and now we know only a subset of Windows is vulnerable to bluekeep. Now lets take a look at our world scans with the break down of Windows versions

Using today’s numbers, our of 1,184,706 only 318,251 are vulnerable. Still a scary number. Notice the shift in change from a force graph to a sankey diagram in the display forces you to think a level deeper about the targets for this vulnerability. We can drill even deeper,by scanning for machines vulnerable to Bluekeep, as we have a module for it.

We end up with 160,063 machines vulnerable. Still a big number but so much smaller than our initial 1,184,706. So even though we had a vulnerability for Windows, not all Windows were vunerable, and we can go through this same exercise with any other vulnerability.

Reason 2: Assets aren’t all located in the same homogeneous environments either nor to they have homogeneous behaviours

Back to Log4J, looking at our vendor usage graph, if its so widely used, why have we not seen an absolute meltdown of the internet and the biggest botnet ever being built ?

This is because the attackers still need to figure out how to reach log4j, and how to customize the attack to fit the environments of the targets that are potentially attackable.

We observed on the first few days, a lot of internet spraying / scanning using the “user-agent” string.

This is the low hanging fruit version of this attack. The easiest way for attackers to reach log4j was injection the vulnerability into user-agent header and then whatever logged that header and was vulnerable would be exploited. We did the same type of scanning and the number of machines vulnerable that we discovered was close to 40.000 IP addresses that we received some type of callback across port 80, 443 and 8080 and these have been decreasing day over day.

So what about the rest of all the applications that are vulnerable? Those require that attackers start thinking about customization of the payloads, techniques and tactics they are using, which when compared to the ROI of exploiting other vulnerabilities at mass scale, just make it that it isn’t worth it.

An example of trying to exploit VMWare Vcenter has been posted and quoting GossitheDog “Exploiting vendor specific products isn’t easy”.

On top of all the customization per applications, attackers will have to deal with WAFs, XDRs and other types of defenses that start building over time, so right now, if you’re a defender, act. You have an advantage.

Are you saying we won’t see Log4J exploitation?

No. I’m saying we won’t see some mass exploitation of internet exposed Log4J or a worm that will lead to massive amount of Ransomware, this vulnerability is a very powerful tool that has just been added to attacker belts to use for lateral movement and you will see a realllly long tail of this being used internally. It’s important not to dismiss it and to keep up on matching or removing the exposure.

Conclusion

For all security vendors and insurance modelling vendors that I saw over the last few weeks 🚑 chasing this vulnerability and selling that your product could defend or help with a “cybercatastrophe” I suggest that you take a good look in the mirror and review how you’re behaving in this industry as that type of behaviour is not helpful in any way even if it might boost a couple of sales of your product.

Use data, understand how a vulnerability works, setup sensors and observe the behaviour of attackers and what the exposure looks like a bit more indepth than just pulling BinaryEdge, Shodan, Censys data for the product version. Cyber is a type of risk that is much more dynamic and complex than most and can’t be treated with same typical aggregation techniques that have been used in the past, just like how underwriting needs to be treated differently.

Observations on current state and future of metaverse

2021-09-04T22:00:00+00:00

Blockchain and all cryptocurrency related topics have been at a all time high when it comes to hype and value over the last few months. A specific sub-topic of cryptocurrencies has been more prominent on the news than the rest, NFTs (non-fungible-tokens). I have no intention to write for the 1001 time what an NFT is other than the absolute basics for you to get this post, there are already plenty of articles about it as there are youtube videos. Google/Bing it.

I’ve spent the last few months researching,learning about NFTs and the ecosystem around them, and although sceptical at first, I am now convinced there is something special there. I tried the easiest route first, and asked on our work slack what the hell was up with NFTs and their hype, and I got a lot of sceptical-like answers.

This meant only one thing, I had to go outside my bubble, and the only way I know how is put my cash where my mouth is and get into the damn thing.

NFT in a minute

An NFT is an object, that can belong to a collection. NFTs are created or minted (typically by an artist or team) and come with certain properties that define how rare an NFT is. Example:

This is my Bored Mummy that I bought from the Bored Mummy Waking Up project, its number 1649 out of 8900 mummies that exist and these are it’s properties

Compare them to a rarer mummy like 446

The yellow laser and Gold space mask raise the rarity of this mummy and by demand of the people that buy the price also goes up.

These properties are all accessible via code as all of these are stored in the blockchain.

Thats all you really need to know.

Getting educated on the subject

I started by trying to understand what the hell was an NFT and how could I get one, I went to youtube for my initial education.

This… felt like a scam. A bunch of “influencers” pushing for their favorite NFT projects to get people to buy and make prices go up. However, I also did notice these were all the same type videos, so I decided to ignore this and dig a bit deeper.

I had a bunch of Ether left on an old account so I registered for an opensea account and started exploring the different projects, at the same time Mark Zuckerberg gave his interview where he talked about the metaverse and where facebook introduced their new VR solution called Horizon Workrooms.

This is where things started to click.

NFTs are in bubble mode right now but have a great potential

A lot of the projects that exist today, won’t be here two years from now. NFTs started as an “artist can get paid and royalties without middleman” and have since changed into large projects that involve heavy software engineering skills to deliver.

Even influencers and people bullish on NFTs (like Gary Vee) warn you that most projects won’t be here and for you not to invest any money you aren’t prepared to lose tomorrow.

However in the middle of all these projects, there are some that appear well staffed, just take a look at the team behind Star Atlas as an example, its a beautiful website with a great promise of selling NFTs that will be usable in game, this is a huge endevour, that involves lots of different skills from coding (both ingame, app and blockchain development), to graphic design, and all the management structure (PS: I have no involvement with the Star Atlas team).

Star Atlas, although more evolved than the remainder of most projects that I’ve seen, is still only a limited view of the potential NFTs might have…

Enter metaverse…

The metaverse is a concept we first heard about in Snowcrash a movie from 1992, it was a virtual shared space created by mixing both the virtual and physical world. We’ve seen other examples of this, OASIS from ready player one, and one could argue Sword art online is a complete metaverse, but to put it simply, think of the metaverse as a system where if something happens in the digital world, has some type of impact in the physical world and vice-versa.

I would love to see a company start to work on building a proper metaverse, not one focused on games but building the base blocks (similar to how roblox did it to enable people that wanted to create worlds) where all of this could be used for more than just gaming (as personally I feel that is too easy of a use case, Fortnite has been doing it without blockchain already for a while one could argue). Here is an example:

Lets say you have a pet in the physical world, and the digital one too (how many of you that play games copy your real life pets into in-game pets?). And unfortunately your pet dies due to a desease that isn’t well researched and you decide to honor his memory, you want to play your part and fund one of these programmes.

In a real metaverse, here is how that goes.

Upon unfortunately your pet dying you mint an NFT and immediately build a smart contract that says when that NFT is sold all profit is directed to an institution that does research in the areas of study against this decease by simply adding the address of their wallet. The NFT of my pet has a “contributor to research advancement” property and whomever ends up being the owner is able to show that they made a difference.

Another example is with art, imagine buying a piece in real life that comes with an NFT, one you could use in your virtual office in Facebook Workrooms (or any other virtual workspace since we will have unified APIs that make all the different platforms compatible). You find a new artist, you put their painting up in both real life and digital office, over time people that visit your office get to know the artist, he becomes more famous, more people buy more of his paintings OR NFTs and both your digital version and physical version go up in value. All while being able to give back royalties to the original artist…

I don’t get the point…

It’s possible you don’t and that it might not make sense to you. You could easily say “this is a solved problem if you want to fund a programme just fund a programme”, but the reality is this way I could probably raise more money and faster.

One of the problems I’ve seen with NFTs is the opposite side of “the influencers” which is people that think that the implementation of the technology is all that matters and unfortunately that is not true…

It’s about the clout!

We lie to ourselves if we think that everyone has the same objectives, be it altruist,make money or simply being able to show off to your friends the cool collection of NFTs that you have. The metaverse needs to just like the real world does, support and have mechanisms for all these different types of personas.

I’ve met a LOT of people that could not care less about how they dress, what others think of them, or clout at all. Just like there are others that do, specially with the younger generation… Just like how I love my Air Jordan 1 collection and anytime I go out I love picking the right outfit, I treat my NFTs the same way…

It’s early in the game of NFTs.

Right now unfortunately much of it is still a game of quick flip for a coin, however the future is bright. I look around and the two companies I see most poised to be able to successfully achieve something in this space is Microsoft and Facebook. Both have interesting ecosystems,penetration with users and budgets to really build something special.

Another potential contender is certainly Disney. With all the different universes they have, there is sooo much potential to do something interesting with Marvel, Star wars, Pixar, and their counter parts in the real world like their parks and toys. I hope they jump on this bandwagon soon.

I’ve only briefly started digging into the potential of metaverse, but already have ton of ideas. We need an org that builds the foundations, standardized API’s and contracts that allow for communication between physical and digital, but also the different universes within the digital.

How is the VC space feeling about investing in metaverse focused companies ?

One last observation… what made them big is also hurting them.

Ethereum and their smart contracts allowed for the creation of NFTs, however I also believe its what is hurting them at the moment. The gas fees on the Ethereum blockchain are high and often stopping people from buying NFTs, just look at the example from this transaction

Ethereum 2.0 is coming out next year which will help with this, but it’s a shame to see how much this is currently hurting the growth of NFT communities.

Mythbusters:The cyber insurance edition

2021-08-31T00:56:18+00:00

In the last year, I’ve learned a lot about cyber insurance, and I’ve also seen many incorrect facts being stated by fellow peers in infosec.

In this post, I attempt to debunk some of these incorrect facts, while giving a quick introduction to some insurance concepts and write about why I believe cyber insurance will play an important part in the future of cybersecurity.

Let me start by immediately admitting - I am biased. A cyber insurance provider acquired my startup. I work for said cyber insurance provider, and I believe in the mission we are trying to accomplish.

Lets get started…

What is cyber insurance and what does it cover?

Cyber insurance is a policy that can be acquired by both organizations or single-individuals and that covers multiple types of damages (these coverages change from provider to provider including the language used for definitions). Typical coverages are: Stolen funds (typically social engineering), Lost business income (DDoS that leads to business interruption), Cyber extortion (ransomware), Computer replacement, bodily injury (if you’re damaged by a failure in a SCADA or IOT device), etc…

What are the key metrics for a cyber insurance provider ?

There are many different metrics we use to measure different topics internally, however two key metrics are extremely important:

GWP - Gross Written Premium - Total premium written by an insurer before any deductions are made (like reinsurance or comissions).
Loss Ratio - The relationship between incurred losses to earned premiums formatted as a percentage.

If we have $10.000 of premium and pay $5000 in claims our Loss ratio is 50%.

I heard that cyberinsurers don’t pay, because of war reasons or wtv?

This comes mostly from the now famous Mondelez case, where the company filed for damages with Zürich Insurance due to a NotPetya attack in 2017 and were refused payment. Here is an important fact often overlooked about that case, at that time Mondelez DID NOT have cyberinsurance. They tried filing their claim under their property insurance and got denied, but due to information dillution overtime and hearsay, cyberinsurance ended up targeted by people reading the news about this case.

Is Cyberinsurance expensive ?

Different factors go into how expensive your policy will be, from limits requested, to revenue, industry and number of records held by your company, and of course the results of our security scans.

A policy has different coverages, limits (max an insurance company will pay), and retentions (how much you must pay before insurance pays a dime), and all these levers can be used to generate the right policy for the right price.

The average policy for SME in 2021 has a cost of $1,589 for $1 million in cyber liability coverage.

BUT, hear me out. If you pick the right carrier not only is your cyber insurance policy a safety as it is a great investment from your infosec/cyber budget.

It’s not just your policy…

Two months ago, we launched a new free product called Coalition Control, and since then I’ve been talking to some startups and friends about how they are using Control, and one topic that kept on being repeated by the different people that I spoke with was how with Control being free, rather than saving money they would be able to shift the budget they had been spending with their current Attack Surface Management provider into something else. And that got me thinking.

If I was back in startup mode, or in an organization with a small budget for security, which tools could I leverage that are free that would allow me to optimize my spend? Note: I am focusing on tooling here not on practices. Good/Best practices involve a much longer post and are a separate post. Also buying tools doesn’t get you rid of following said best practices.

With a typical budget for security of less than $1000/month any money we can save or redirect is a blessing. (Some of you will shout that this organization is already being negligent by not assigning proper budget to cybersecurity, my advice is go talk to some orgs in the real world. Get out of your bubble. The orgs we are talking about in this article can’t afford a multimillion dollar investment into cybersecurity, they are non-profits, charities, small startups pre-funding, small local companies, etc…).

So I sign up for a policy with Coalition (I talk about Coalition because it’s what I know and can talk about without making gigantic assumptions about what the offer looks like.) Just by going through the quoting process I get access to a security report of all my external assets and potential security issues detected (a light version that looks at 400 ports across all assets, you too can get this in Control.)

Lets say I take the policy they offer, it’s gonna run me between $1000-3000 and what do I get in return?

1 - Access to the premium version of Coalition Control, this is a risk management platform for which we are constantly building and adding new features, right now that means:

Full attack surface discovery and monitoring for your organization and 5 vendors. This means we will scan multiple times a month all 65.535 ports on all assets across your org and vendors and notify you if we find any vulnerabilities. (Hint: even if you wanted to get this from a vendor, AFAIK no one is doing all ports across all assets with service identification and all the enrichment that we do).
Darkweb keyword monitoring (if we see you mentioned on the dark web we let you know)
Look alike domain monitoring (if we see an attacker preparing a social engineering attack and adding an SSL certificate to a domain similar to yours or an MX entry, we let you know in Control)
Torrent monitoring, if we see any of your assets downloading torrents, we also let you know within Control.

You would have to buy from multiple vendors to get access to all this data and maintain some kind of platform to aggregate it all, this would easily run you $25.000-$30.000/year.

2 - You get access to a world class security team. Yes, if you don’t know how to fix something or how to correctly implement certain security controls, we are here to help, you can book a call with our security team and they will try to guide you through any questions you might have. How much would you have to pay an IT provider, MSP or consulting company to help you with this?

3 - You get access to our partner technology ecosystem. These are different technology solutions at discounted prices , exclusive to our policyholders. EDR, Training, Compliance tools, we’ve got it all and its only getting better!

4 - IR - If you get a claim, we have an IR team that will help you with the entire process, from understanding the initial vector of compromise, to fixing it correctly and guide your through the restoration process. Again, if you went with a vendor, this would run you up quite a bit.

5 - Your policy. When all else goes wrong, you’ve got your coverage. This might seem obvious but the policy is there to help in the worse case scenarios.

I heard that cyberinsurance is fueling ransomware or that insurance companies are happy with paying ransoms

Repeat after me: “No one wants to pay for the ransoms”, don’t believe me ? Take a look at numbers. The avg policy is $1500 of premium (take our own costs out, broker comissions, and what we’re left with is even less than that), that means that even payment of 1 ransomware claim burns a lot of premium we get from other policies.

However, sometimes our policy holders are faced with the worst situation a business can ever be in, “pay or die”, and in those, we (if the policyholder makes the choice to pay) do play our part.

I believe we play a much larger role in reducing the frequency by which ransomware events happen. One example of this is RDP which we know is one of the main vectors for ransomware. Just in the last year alone we managed to convince thousands of companies to turn off RDP from direct exposure to the internet. Either to get a policy with us or as part of our on going scanning, policyholders follow our indications and become more secure because of it.

I tried doing this proactively for years as part of BinaryEdge and for free, most of the conversations ended in companies either ignoring us or threatening to sue us.

Another great example is with Microsoft Exchange. When HAFNIUM came out at the beginning of the year, we had roughly 1000 policyholders vulnerable, the security team working along side the incident response team identified in <1 hour of technical details being released which policyholders were vulnerable, and got notifications to them in the next hour. We managed to get those 1000 vulnerable down to 8 in <1 week.

Cyberinsurance is still in its infancy, market penetration is less than 1% and will grow into an absolute beast of a market in the next few years. When you stop and ask the question “Which cyber insurance should I buy?” look at the entire package offered by your carrier from coverage to the entire ecosystem around it. Pick a modern carrier that will help you manage and control your risk.

Is insurance land like candy land where its all perfect and flowers?

No. We’re still learning. It’s a new game with no previous examples that we can point to and say “they did it right, lets follow!”, so we make mistakes. Some carriers are non-renewing policies, others are going out with 200% price increases and some of the things you read on the news are as painful as they appear, but here is the thing, we’re young. All other insurance lines went through similar phases in their development and stabilized overtime as carriers learned more about the different type of risks, frequency and severity.

Data becomes critical in this phase as the company that has the best data and can best leverage it across the entire lifetime of a policyholder will win. I might write a future post about this, as I have had a couple of posts in hackernews where people think its just scanning a company when we quote them and thats it, but it’s so much more!!

If you bothered to read to bottom and understand the tip of the iceberg of how we work, you’re probably wondering “how is it that they can afford to offer all the security tooling on top of the insurance coverage?”.

It comes down to being good at risk selection and reduction.

A close cooperation between our security, risk and analytics team enables us to have access to the right data and mechanisms to pick the right risks to insure at the right price. And for the risks we can’t insure, we will try our hardest to bring them to a level we feel confident insuring them.

Promotions, Leadership and Sculpting

2021-04-02T00:56:18+00:00

Over the last couple of weeks I’ve spent a lot of time thinking about team leadership, promotions (tis’ the season), my career and projects.

This post is broken down in two parts, first I wanted to write a little about planning projects and then about leadership, promotion and responsibilities.

For the longest time I’ve noticed that there are subset of projects that I just didn’t feel suited to run.

I was never able to explain why, but projects that typically put large constrains on imagination by having a non-flexible requirements (law/regulation) or where initial launches need to have all T’s crossed and i’s dotted with little margin for changes, just didn’t interest me and I never felt suited for them (I’ve thought about this for years but never once brough it up to anyone or felt confident enough to talk about it in public, I do now that I understand where “I fit”.).

Planning

When thinking about the way I plan projects, I typically think about “the final product”, 5 years out and then start decomposing it back. It typically ends up looking like the equivalent of the tech tree in a game of Civilization, and then when me and the team hit that “final product” mark, it becomes the pivot point for the next large thing, another 4 or 5 years out.

For example for BinaryEdge, here are what the high level versions looked like.

As some of you know, we then launched Attack surface monitoring which was one of the first milestones I had planned that used BinaryEdge 2020 as the base for the next 5 years.

A couple of things are important though, if you look at that roadmap, lots of things happened in different order, or some featurs we launched only to later go in a different direction or kill them all together. But from all of them we learned, we grew, we adapted. For each feature, I always try to follow a template.

Title - What is this
Description - Why should we do this
Benefits to customer - Why would a customer want this / Benefit from it
MVP needs - What is the absolute barebones development that needs to be done for us to confirm this bring benefit to said customer
Success - What do we want how of this to confirm it was successful?
Fail - In case of failure what is the worst that could happen? (PS: A failure isn’t necessarily a bad thing. When you fail you learn, just make sure you fail in a contained environment or with contained risk and that you learn from that failure.)

I have hundreds of these written and I continuously add to them, and then at beginning of each year I pull them in, look at the ones that can bring the biggest benefit to customers or impact to the company and discuss those with the team to choose priorities.

Even BinaryEdge itself was at one point one of these

Title - Startup that scans the internet
Description - We saw good succcess with PTCoresec, I think we could build a business that sold internet scanning data to organizations to help them protect themselves.
Benefits to customer - Scanning the internet is hard, scanning all assets for an organization is hard, curating all events and showing only things that are important for a security team is hard - we can make all of this simple for them. When a vulnerability comes out orgs don’t know if they are affected by it or not.
MVP - Use a TCP scanner, build something like nmap but faster that can identify services, have a data processor based on rules that can build reports or the data in a database that orgs can query easily.
Success
- Company: We are able to identify organizations that have security exposures, they are willing to pay for the service and let us handle dealing with data wrangling for them.
- Personal: Work on something I have fun with, with people I enjoy. My own thing. Lots to learn.
Fail
- Company: Orgs aren’t willing to pay for this, we don’t have enough knowledge on how to maintain all of the data in an easy to use system.
- Personal: Multiple years of life/career lost. Friendships lost. Money loss.

This system has allowed my imagination to run wild, think of whatever features I could imagine, or observed as a need, and I really enjoy it. (PS: As usual, just because it works well for me, doesn’t mean it needs to suit you.) But this system also has a VERY special requirement. You need people around you that can work the same way.

This is a set of skills that my current team has. We iterate fast, we start with building the absolute minimums in products to test with customers and then improve or cut things that are not needed. This system allows us to get super early feedback, instead of investing months or years into something we believe is correct, only to then have no way back/out from it. Unfortunately it also means that as I mentioned in the beginning, projects that are heavy on restrictions/regulation, are not well suited for us, but building tools/products for customers to use on a daily basis, are absolutely perfect.

The most extreme version of this, was when a few years ago we built a mobile app to teach people about security, and that also served as a internal network scanning agent.

We started with a paper prototype, which allowed for some super fast testing (you can get one of these done in <1 day):

Then moved to an electronic prototype (Adobe XD)

And then it landed with our last version, which went to the app store

A great way to learn more about this is to become certified in Design thinking, I did the certification with IDEO a few years ago and learned a ton!

This brings us back to the beginning of this post. I never knew how to explain all of this in a simple way, that is, until I read Sid Meiers memoir.

In his memoir, he explains that he thought of projects like sculpting. There are different types, sculpting with granite he never felt was the right thing for him, you chip one bit too much and the entire thing is ruined. However sculpting with clay, is a lot more fun, imaginative and forgiving, you add a piece of clay, you don’t like it, take it away, you chipped a bit too much? add a bit more clay and it looks normal again.

In reading this it immediately clicked as a nice way to describe how I feel about projects. Projects more rigid like granite, not good for me, projects that require imagination, exploring a problem, and quickly try different iterations until you find one that works well, are also well suited for me.

Promotions, leadership and responsibilities

One thing I don’t feel you hear during life, is that promotions are also hard.

Going from IC to team lead, and team lead to leader of leaders causes huge changes in your scope, and if you’re not prepared these can catch you by surprise.

Hiring and placing a team around you that you trust implicitly become two of the most important actions you can take. The soft skills start to matter so much more. The teams start to gain their own personalities, and sometimes they are very different (and can still work together well).

A lot more people look to you to guide and lead. Things that you don’t like to do, you have to do, because you can’t just think about yourself, you have to think about the team.

Your contributions to a project move from discussing if the API’s should work synchronously or asychronously, which database to use or which latest and greatest tech to use, to discussing roll out plans, coordination between different teams and metrics.

Checklists and templates become your best friends (a great book on this topic is: The Checklist Manifesto: How to Get Things Right by Atul Gawande)! I’ve really become obssesed with building templates for things I have to do on a weekly/daily basis, and Notion makes it super easy to just right click - duplicate a page that serves as template.

Come review season, every year you should ask yourself “Where do I want my career to go?” and make sure your manager knows how you feel about your career. Choosing to remain an IC is an absolutely valid choice, not everyone needs to become a manager.

Knowing the answer to that question is not only important for you, but for your entire team, and specially if you’re a manager, you need to be prepared for the change because if you do not commit to it, your team will feel it.

Your decisions have a huge impact on people’s lifes, working through leveling and promotion, to figuring out if people are doing well on their projects can change the motivation of your individual contributors in a snap. Find people to help you, you won’t be able to solve big problems by yourself.

A cybersecurity view of COVID vaccine vendor chain.

2021-02-11T00:56:18+00:00

A few days ago, I read one of the most interesting articles that I’ve seen in a while, about how Jonas Neubert, essentially attempted to reverse engineer all vendors involved in the entire development, production and shipping chain for the COVID vaccines.

It’s a great article, go read it, I’ll wait.

Now vendor chains is something I really care about. I spend all day looking at organizations, their connections and dependencies, technologies and hosting providers, as part of the work I do.

So when I read this article, my mind immediately started asking questions like:

What are the common technologies between all these vendors?
Hosting providers used?
Types of vulnerabilities we can see?

The best part is, I have everything I need to get those answers:

1 - Who are the vendors and their main domains (Jonas did the hardwork here)

2 - I can just type company names into ASM and it takes care of the rest!

First of all for both the Moderna and Pfizer/BioNtech vaccines here are the vendor chains.

Looking at the plot, we can see there are some vendors that are shared between the two main vaccines:

Schott
Kuehne+Nagel
Fedex
University of Pennsylvania

If you’re thinking like an attacker, this picture also presents an extremely interesting perspective. Think back a few weeks to what we saw happening with Solarwinds or this week with Centreon.

A vendor got hacked, and from there attackers were able to pivot to other organizations.

Next lets take a look at dataleaks. These are where an attacker first looks when gathering information about a victim. You get access to social profiles, passwords, usernames, and a bunch of other information that you can use for different types of attacks, from social engineering, phishing, or even credetial stuffing or bruteforcing.

Lots of dataleaks are found across the entire chain. Lots of credentials ready to be used and re-used by attackers, lots of emails ready to be phished.

If you take a look at our Claims report for 2020, you will see that these are a high percentage of attack techniques we see.

As a next step lets take a look at all domains,subdomains and assets of these organizations. Here we see the geographic distribution of these assets:

These assets are distributed across multiple ASNs, providers and geo locations. It’s interesting to think about how politics in real-world can affect some of the location of these assets from a governance, compliance and cybersecurity lens.

Looking at these assets we can extract the top subdomains found, I colored the ones that I believe would be attractive to attackers from my previous experience doing pentesting and now doing large scale organization mapping and scanning.

These are subdomains that our customers typically focus and tag as important assets to them.

One growing concern I have had for a while, is the attack surface that is growing from the software side (thought typically my focus is on the network components. How many javascript libraries are you using on your project when you do your npm install? what are their dependencies? where are they coming from? what are the intentions of their developers?

We’ve started to see the dark side of these issues pop up more in the last few years, with one showing up just a couple of weeks ago - read about it here.

So when we take a look at the tech stack of all these organizations, it is scary to see how complex they are and how many vectors of potential attack exist.

From this we can see a bunch of positive signals, SPF usage, Cloudflare against DDoS, lots of different cloud services from AWS, Azure to GCP.

But we also see some concerning signals (not necessarily negative, but some that if we were the attackers, we would want to start with), usage of Tomcat (which is widely known for having multiple vulnerabilities), lots of Windows servers including Microsoft Windows RPC.

We might explore more indepth, what some of these services are in a future post but one interesting fact I found was, for any organization loaded on ASM we give it a risk level, and for this portfolio of organizations the risk level looks like this:

Low - 72364
Medium - 60623
High - 420
Critical - 132

Lets ignore Low, Medium and High for a minute. One of the important things to understand about what we do on ASM with critical issues, is that these are curated and have custom modules developed for them that guarantee an extremely high level of accuracy for that finding without exploiting the vulnerability.

We also consider as critical, a vulnerability that would allow any type of attacker easy (we classify easy as 1 command or available script copy pasted into a terminal) access to a company asset (asset is classified as machine, or proprietary data).

So knowing that, the number that is concerning there, is the 132.

Taking a look at some of the critical findings, we see that they are comprised of exposed databases, vulnerable services that are typically used by threat actors to deploy ransomware, multiple critical services with no authentication… Not good.

These services are spread across multiple ports however by looking at the sankey diagram of service-port we can see a high diversity of services can be found on port 80 and 443.

One final interesting fact is that all the data we looked at over the course of this post, was on lite mode in ASM, which means we are only looking at 250 ports and without domain enumeration expansion (finding domains other than the main domain provided). Had I put these companies in extended mode, we would get all their alternative domains and 65535 ports for all assets which easily means 10-30x the attack surface seen on this post. I’d like to thank Florentino Bexiga and Filipe Reis for the assistance with this post.

Subscribe to my newsletter to get updates and new articles right in your inbox!