EPISODE 49
Utility computing for cybersecurity is “reasonable”

EP 49: Utility computing for cybersecurity is “reasonable”

Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.

Sign Up Now!

About this episode

March 17, 2020

Kip Boyle, CEO of Cyber Risk Opportunities, and Jake Bernstein, JD and CyberSecurity Practice Lead at Focal Law Group, discuss how organizations using Office 365 and G Suite should be using the many “hidden” but very affordable cybersecurity functions. Their availability is changing the definition of “reasonable cybersecurity”.

Tags:

Episode Transcript

Speaker 1: Welcome to the Cyber Risk Management Podcast. Our mission is to help you thrive as a cyber risk manager. On today's episode, your virtual chief information security officer is Kip Boyle and your virtual cybersecurity council is Jake Bernstein. Visit them at cyberriskopportunities.com and focallaw.com.

Jake Bernstein: So Kip, what are we going to talk about today?

Kip Boyle: Hey Jake. Today, we're going to talk about how email security in the cloud... There's something going on today. Specifically, there's something hidden, but very useful. There are some unexpected security functions in Office 365 and G Suite.

Jake Bernstein: Okay, so this is already sounding like you're going to turn our show into the system administrator's podcast today. How are we going to help our audience of cyber risk managers?

Kip Boyle: Yeah. Well, it's certainly a topic where we could quickly go off the deep end, discussing the technical ins and outs. That's not the goal. So if there's anybody in the audience that's ready to turn us off, please don't. So rather than take us into this technical world of how do you administrate this stuff? What I want to do instead is stay at a high level. And I want to talk about what we are seeing in our work. How customers are interacting with Office 365 and G Suite from a cyber security management perspective.

Jake Bernstein: Okay. So, that makes sense. And given the way you set up this intro, you must be seeing something noteworthy. And I think it's also noteworthy to point out that between Office 365 and G Suite, that's probably the vast majority of kind of cloud-based business suites out there. Obviously, there's still a lot of on-prem and legacy software, but I can't think of another kind of competitor to those two right now.

Kip Boyle: No, they're certainly the dominant players in the email, right? Email and the cloud space, those are definitely the two dominant players. And almost all of our customers, whether they're small or medium or enterprise are using it to one degree or another. But what's interesting is that there's an add-on for Office 365 and in G Suite, you just have to buy in at a higher license level. But when you do that, you get a whole bunch of security features. And in Microsoft, it's called advanced threat protection or ATP. So let's focus the conversation on ATP today during the episode, but just know that there's similar functionality in G Suite. And I'm just not seeing people use this great functionality.

Jake Bernstein: That really raises two questions. First, what's so great about this advanced threat protection? And then second, why aren't people using it and should they? And if they want to use it, how can they do so?

Kip Boyle: So if you're a cyber risk manager and you know that your organization is using either G Suite or O 365 for your email processing, I want you to start thinking about exploring and potentially turning on all this functionality. Because when I looked at it, and as I got to know it more and more in our work, what I realized was 10 years ago, this functionality could not be procured for so little money and so little effort. To do it back then, you had to buy several different products. You had to pay very high licensing and ongoing maintenance fees to these different vendors. You had to train your systems administrators. You had to integrate these products yourself, or you had to hire somebody to come and do it for you. And you had to do it in your own data center.

I mean, it was very much a roll your own kind of a thing. And quite frankly, it was kind of fun, it was a bit of a puzzle, sort of challenging, but it was super, super expensive, and very time-consuming. And then you had to keep that stuff running. And if one product did a major version upgrade, then you had to tweak the whole stack, but now you can get all this cyber hygiene goodness for just a few dollars per user, per month. And when I sat back and thought about it, I realized utility computing for cybersecurity is here.

Jake Bernstein: So another way to say that might be, it's becoming very commoditized. And whereas, in the not too distant past, it required highly trained IT staffs of maybe 10 or even dozens of people to get functionality like this going. And what we're really saying here is, look, everybody, you can get all these great features for essentially very little cost and no real labor, which is a huge change.

Kip Boyle: Yeah. By comparison. Right? But there's a lot of people out there that maybe never would have bought the technology stack that I'm talking about 15 years ago. And so for them, it still probably seems like, why should I pay that money? What do I get for it? And we definitely encounter that. But what I try to say to our customers is look, there's so much of this great security stuff has been democratized. It's accessible to everybody now. And you just don't have to put in nearly as much sweat equity and money and so forth to gain access to it. Okay. So, you're probably thinking, okay, Kip, you're probably selling ATP and G Suite out of the back of your car. No, we don't get any money from talking about it.

We're helping our customers make the most of it. But I think that while this stuff isn't perfect, right? It's not perfect, but it's really, really good for the price. Now, even enterprise organizations are using advanced threat protection and the G Suite security functionality. But what I have noticed is enterprise organizations at the price points that are being offered to them, they actually have a lot more options in terms of choosing competing products that are best of breed and skipping over advanced threat protection and the G Suite stuff. So they're not as sweet on it as I'm seeing the mid-market and the small companies. So, that's kind of what we're seeing.

Jake Bernstein: To bring in a metaphor from a previous podcast about technology and vehicles. What this is, is like almost many, many car brands including the kind of medium and lower end all have these electronic safety features built-in now. Whereas 10 years ago, they existed, but access was limited by luxury brands. And so most people didn't... It just wasn't realistic for them to have it. So they might not even think about it. Whereas today you go by every single Subaru has this vision system that helps prevent crashes. And this is very similar for businesses. Businesses that would never have even considered, or might not even know that these things are possible now have access. And I think one of the things we should probably do before we get too much farther is to just really briefly talk about... Make this less abstract. So, I assume there's anti-spam functionality, but what else is actually in here that we can take a look at?

Kip Boyle: So there's the obvious stuff, right? So you think about, I'm buying an email server from Microsoft or from Google. And so immediately you think, okay, well, I can do some spam filtering and you can, some pretty complicated stuff in fact. Then there's other email-related things like there's a feature in ATP called Safe Links. And what it does is it changes the way the web links operate in outlook. And that's either on desktop or mobile. And I don't think it matters which OS you're using. But the way it works is, instead of allowing people to click on the links and get to them directly when you have a Safe Links policy turned on in ATP, Microsoft will first redirect you to their service which scans the link for malicious code. And if the link is good, then Microsoft will send you on your way. It'll say, okay, safe link. If it's not a safe link, if it's unsafe, then you'll get messaging on that as well, and you'll be automatically redirected to a page where you can look at the message and then make a decision about what you want to do next.

And again, this is enterprise-class functionality that is now available to really anybody. I mean, we're a small company and we've got it turned on.

Jake Bernstein: Yeah. And it's really thanks to Azure cloud computing and the ability to spin up servers and virtual machines, because really a lot of this stuff, that is what is necessary to make any of this possible is to quickly have little sandboxes that can get set up and test things. And it happens in sometimes fractions of a second. So it's actually really impressive tech. If you pause and just kind of admire it, it is very impressive stuff. And I think it's worth pointing out to users that look just because this has not been made a bigger deal of doesn't mean that it is something that you should discount because it doesn't have the marketing dollars behind it. This is big-time stuff, and it's really valuable and it's quite impressive.

Kip Boyle: Absolutely. So there's Safe Links, there's another thing called Safe Attachments. So this is a huge attack vector for phishers and for people who want to get malicious code on your computer. So what does it do? Well, Microsoft will scan your attachments and if it has malware, it'll remove the attachment. It'll deliver your message. It'll put a notification in there saying, hey, we found malware in the attachment. So here's the body of the message that was sent to you. But we're not going to give you the attachment, or if you have an IT administrator, you could opt to have the attachment delivered to them. And then they could look at it. It could go to a malicious queue where knowledgeable people could go in there and figure out if it was a false positive or not. I mean, you have to be careful how you configure this stuff. But now you've got something in there aggressively looking at these attachments that are coming at you and it's super helpful.

Jake Bernstein: Yeah, I know, that's really powerful stuff to protect you. Particularly since, as we've talked about on the podcast a few times now, training someone not to click on a link has a maximum effectiveness of roughly 97%. Well, that 3% is a big giant hole for people to drive malware trucks full through. And so this is one more thing that can kind of help filter that stuff out to reduce that percentage even more.

Kip Boyle: Yeah. There's another thing that's going on behind the scenes. And a lot of companies are doing this these days with this continuous improvement. Now the upside of that is that Safe Links and Safe Attachments and all those other security functionality gets better and better and better every day. The downside to it is that the way you administer it, the different options that you have to choose from is changing as well. So one day you're in the console and you're looking at your dashboard, your control panel, and then you go back in the next day and everything's moved around and you can't find stuff that you used to have there. And then now there's all these new things that you've never seen before.

So while that's a little irritating and a little frustrating compared to where we've been in the past. I actually think that's a sign of goodness because we've talked about this so many times, the cyber attackers are not sitting around just attacking us and then getting frustrated when it doesn't work and then going off and changing careers. They are constantly innovating, trying to find new ways to mess with us. Well, so here, we've got Google and Microsoft constantly innovating and trying to figure out how these defenses can also be improved. So, that's absolutely going on too.

Jake Bernstein: Very much so. Is there anything else in ATP worth mentioning on the podcast?

Kip Boyle: Yeah, absolutely. So those previous features that I talked about are very email centric. And again, a lot of people think about Office 365 and G Suite as, oh, that's how I do email or that's how I gain access to Word, Excel, PowerPoint, SharePoint, or any of the Google online apps. But actually, there's so much more going on here. So for example, you get mobile device management, which is great. And in an enterprise situation, as a dedicated system, you can configure many different options for multifactor authentication. You get a cloud app security console. So you can actually see what the folks in your organization are using. It gives you visibility into all this so-called shadow IT, all these cloud services that people are signing up for and either getting for free, like some space on Dropbox or something, or maybe even they pulled out their credit card and they're paying 5 or 10 bucks a month for some kind of a cloud app to do their business.

Well, without some sort of a scanning capability you just don't know what people are doing, but you get that. That's something that's thrown in here. There's all these security functions that you can use to configure SharePoint Online, OneDrive and believe it or not, even though you didn't realize it when you signed up for O 365, you actually have an active directory domain controller in Azure that you can interact with and configure. So, that's unusual. When I first discovered that I thought that was like one of these hidden benefits.

Jake Bernstein: Yeah. I think that's important. And I assume that you get lots of... Actually, I've seen the consoles, you get event auditing, you get dashboards, you get reporting, you get search, you even get legal hold type things that kind of take it to the next level. So, it's very impressive suite. And I think Google's G Suite has something similar, right?

Kip Boyle: Yeah. They have almost featured for feature parody. There's obviously some differences due to the fact that the tech stack is totally different over Google than what it is at Microsoft. But at the end of the day, the threats are the same, no matter which service you're on. So there's going to be functionality in either one of those vendors that's going to be designed to deal with the same threats. They'll go about it a little bit differently, but it's not that tough. You just get in there and you figure out how to make it work. You'll need some training. We certainly did. And I didn't find the Google documentation and the Microsoft documentation terribly helpful, so that hasn't changed. There's some great online training that you could get a hold of and go through.

But bear in mind, this point that I made before, which is, these services are constantly changing. So we did a video-based training a while ago to come up to speed with this. And the instructor said right off the bat, "Hey, look, I'm going to show you some screen captures. I'm going to describe all this stuff, but don't be surprised if when you go into your console, it looks different. Maybe that console doesn't even exist anymore because of all the change that's going on, all the constant improvement." So anyway, but I really think this is within the grasp of most organizations. And we were just working with a private equity firm the other day. And we said, "Well, what have you got?" They were using Office 365 and we said, "Well, have you turned on any of the advanced threat protection?" And we got a deer in the headlights look and we're like, okay. I'm not a salesman for this stuff, but I often feel like I'm in situations where I am almost selling it.

Jake Bernstein: Well, what's interesting is, I'm thinking about how to kind of wrap this podcast episode into our overall theme. And one, of course, our themes is reasonable cybersecurity. And it strikes me that if I'm a judge and I don't know a great deal about technology and security and all this stuff, which is going to be the case-

Kip Boyle: Most judges.

Jake Bernstein: ... for quite a while at least, until people like me become judges, if that ever happens. And I'm going to think to myself, okay, so if I need to figure out what's reasonable and I'm listening to these two sides give testimony, and one of these sides is saying, look, you had the ability to basically flip a switch inside a suite of software that you've already used and it will cost you a very little more that could have dramatically improved your cyber security kind of risk profile, and you didn't do it because why? I think that what these companies are doing is raising the bar on reasonable cyber security. Because if you think about it, let's say that you have the ability to flip on Safe Links and Safe Attachments just taking ATP as an example. And you don't do it either because you didn't look at your documentation or you just didn't feel like it. That strikes me as being kind of an unreasonable stance when the cost is so low on both labor and dollar side.

So to me, what we're doing is raising awareness of something that is probably going to become part of a baseline for a reasonable cybersecurity program. Which is use these capabilities that are essentially built into your platforms for a relative pittance.

Kip Boyle: Yeah. That makes sense. And then in legal parlance, right? Reasonable cybersecurity. I think the other term that I think about is due care, right? So would you say that this is becoming part of the definition of due care because it's so accessible?

Jake Bernstein: So, standard of care, due care, reasonable cybersecurity program, they all kind of mean the same thing. There's not going to be a great analytical difference between those terms.

Kip Boyle: Okay.

Jake Bernstein: So, yes. I mean, I think that when we say a reasonable cybersecurity program, we're talking about a standard of care or use of due care. And so that's really what we're talking about.

Kip Boyle: Okay. Got it. Got it. Got it. Got it. Okay. Well, great. Yeah. Reasonable cybersecurity, I love it. I agree, that's exactly what's going on here.

Jake Bernstein: I think you made me realize, I didn't address it directly. Remember that some of the factors in reasonable cybersecurity include cost-benefit analysis and the cost of the state of the art versus the protection it offers. And what this does is gives you a whole lot of capability for very little cost. It's kind of a no-brainer and the law's going to see it the same way.

Kip Boyle: Wow. Okay. That's great perspective. All right. Well, I think I've said everything I came here to say, how about you?

Jake Bernstein: Yeah, and more.

Kip Boyle: All right. Well, that wraps up this episode of the Cyber Risk Management Podcast. And today we talked about the hidden, but very useful and unexpected security functions in Office 365 and G Suite. And we'll see you next time.

Jake Bernstein: See you next time.

Speaker 1: Thanks for joining us today on the Cyber Risk Management Podcast. Remember that cyber risk management is a team sport, so include your senior decision-makers, legal department, HR, and IT for full effectiveness. So if you want to manage cyber as the dynamic business risk it has become, we can help. Find out more by visiting us at cyberriskopportunities.com and focallaw.com. Thanks for tuning in. See you next time.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).

YOUR CO-HOST:

Jake Bernstein
K&L Gates LLC

Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.