Cybersecurity Effectiveness Podcast

back to podcasts
Listen on:
Subscribe:
stay up to date

Steve Lodin

It's a no brainer for all small and medium companies to move to the cloud. I continue to see a major shift for applications and infrastructure to move there, too, approaching that 90% range, maybe a pie in the sky. But where this goes after that is it seems to have an impact on the government and the regulatory views regarding monopolistic behavior and critical infrastructure.

Steve Lodin is the Senior Director of Cyber Security Operations in Corporate Security at Sallie Mae, where he's focused on managing perimeter security, endpoint protection, application security, vulnerability management, and threat intelligence to reduce risk and ensure compliance.

Brian Contos:                

Welcome to the Cybersecurity Effectiveness Podcasts sponsored by Verodin. The Verodin Security Instrumentation Platform is the only business platform for security that helps you manage, measure, improve and communicate security effectiveness. I'm your host, Brian Contos, and we've got a really special guest today. Joining me is Steve Lodin. Welcome to the podcast, Steve.

Steven Lodin:                

Thanks for inviting me and glad to be here.

Brian Contos:                

Hey Steve, before we jump into some questions, could you give our listeners a little bit of background on you and how you got into cyber and what it is that you do today?

Steven Lodin:                

Sure, Brian. As you know, I've got a great beard, so I've been around for a little while. I first started this out with an electrical and computer engineering degree. Spent a lot of time working at General Motors in their advanced development arena, working on displays for concept cars, so heads up displays, the first flat panels, things like that was what I was working on back in the day. The way that you program those, of course, at the time was using Unix systems for co-development and firmware. I managed to start working on large installation system administration and managing hundreds of servers and workstations globally for the development of anti-lock braking systems or radios or things like that. In the car I focused on the security side and the patching side and the public domain software side, and as a result of that I was awarded a GM fellowship to attend Purdue University as part of the Coast and Sirius Lab focused on computer security.

Brian Contos:                

Oh, absolutely. Yeah. That's very cool. I didn't know you were involved with Coast. Very nice.

Steven Lodin:                

Yep. Back in the day, that was the place to go to find vulnerability information or patching information or white papers on security.

Brian Contos:                

Yeah. What an amazing resource for those of us that were getting involved in security at that time. That was one of your main locations to go, just to suck up as much data as you could. Very cool.

Steven Lodin:        

Exactly -- ftp.sirius.purdue.edu. Well, I had some interesting activities during the day under SPAFF, for example, with Farmer and Wietse Venema, we got to do SATAN testing, so I ran SATAN on a 10,000 node network and managed to figure out what it would crash. The other piece that was really interesting out of that is the Tsutomu Shimomura announcement of what he thought was Kevin Mitnick attacking him with some of the R services. Out of that, I ended up getting interviewed for a book related to that activity. Kind of an interesting idea hanging out in Sonoma with some of the historically significant characters like Marcus Ranum and Steve Belledin, and guys like that. After that, I finished up at GM, spent a couple of years at Ernst and Young again working with some great people. John Darbyshire started Archer, George Kurtz, who everybody is very familiar with now. Lots of great people at ENY and those days.

Steven Lodin:                

After that, I spent a couple of years, well, eight years working for Roche, a global pharmaceutical. I spent three years living in Germany and Switzerland and got introduced to the security scene in Europe. Meeting and working with people like FX and Remote Exploit, very tight knit community in Europe and I really enjoyed my time there. One of the interesting things after working at Roche is that basically I'm where I'm at now, I worked for Sallie Mae. Sallie Mae is a personal loan, private banking, and a 529 rewards program company. We're definitely keeping track of credit card information and customer account information. We have millions and millions of NPI records regarding our customers and my job here at Sallie Mae is to make sure that we have all of the security mechanisms in our security stack to protect the perimeters that now exist and to protect the data so that we don't have a breach or a leak.

Steven Lodin:                

Some of the interesting things that I've done throughout the years, one is that in Switzerland as we were trying to put together a way to test our wireless access points running at the time WAF throughout the global nation or the global environment, I paid Remote Exploit to create what ended up to be Backtrack. That was our custom CD that we plug into our company devices to be able to go out and do wireless testing. And it turned into Backtrack.

Brian Contos:                

Oh, that's awesome. That's really cool.

Steven Lodin:                

Yeah, and I'm not really ready to admit it, but I did create a Palm Pilot application back in the day called Palm Crack. I took some information from Alec Muffet who wrote the original crack and Joe grand of Loft and basically put together a little pseudo application on Palm Pilot.

Brian Contos:        

Oh, that's awesome. And who didn't love L0phtCrack? Yeah. You know it's interesting you're talking about Dan farmer and SPAFF, and Stan – and for those of you who don't know, SATAN, and I know a lot of you probably do – [it’s] a system administrator tool for analyzing networks. It was one of the first scanners out there and ISS actually had a freeware version as well. But I remember setting that up on a spark one station. And that's actually how I learned how to script in Pearl was because I had to figure out how to work with SATAN so SATAN helped teach me Pearl, which kind of worked out. So, Steve, thanks for that. And obviously you've got a deep and rich history in this space and dating back to its earliest days. When you are and I were talking a few weeks ago, you mentioned cloud and how cloud is really becoming this grand overlaying topic for most organizations. It seems like you hear about everybody moving into the cloud and combined with all the money with Amazon and Microsoft and what they're doing and other organizations. What are the different ways companies are kind of making their way into the cloud today?

Steven Lodin:                

Yeah, great question. So, one of the key pieces of advice is before you begin, make sure you review this concept with your company leadership, you get the quote approval. And then if you're in a regulated environment, make sure that your regulators are aware and support you in basically taking this fork in the road from either on-prem or managed data centers to moving your infrastructure into the cloud. After that, basically there's a process where companies spend time selecting their infrastructure provider. Usually this requires assistance from third party support who can help you evaluate your current IT and business environment and combine that with your leadership sponsored goals and future state to select the best fit. This could also include considering cost models and contract language besides just the business and technology drivers. In the end, you could end up at a single source or you could end up in a multi-provider environment with a caveat that makes sure if you choose multi-provider, they are almost double the costs in the security side to address multiple providers.

Steven Lodin:                

Once you've determined your approach to this migration, you can basically come up with either a slow role model or a big bang. An example of the slow role is basically, as a company you migrate your workloads over time as the applications themselves get scheduled for refreshes in their product life cycle. The big bang side is really to take all of your data center assets and applications at once and move it to the big data center in the cloud. If the organization is already virtualized with no legacy systems, no mainframe ties and a small number of physical systems, this big bang theory is pretty easy and simple on paper. Basically, you take a VM, you move it to a VM conversion application, it takes off the existing datacenter MSP applications to do operational things. You reapply the new MSP or data center cloud infrastructure provider applications for monitoring and you size it correctly and then you spin it up. It's pretty simple.

Brian Contos:                

Very cool. So, let me ask you, when you're talking to anybody in security about the cloud, it only takes maybe 10 seconds before the issue of data leakage is brought up. Whether that has to do with segmentation faults or whatever it is that's causing that, but it's very frequently brought up as one of the leading concerns. What are some of the golden rules, if you will, for protecting that from happening?

Steven Lodin:                

Yeah, so if you remember, there used to be that time frame which a system connected to the internet would get hacked. It was like seven minutes, right? These days it's the S3 buckets, so there are certain activities that you want to do called golden rules basically when you're moving to the cloud. There's a couple of different categories and I'll give you some specific examples underneath those categories. The first is you want to make your IT systems and applications harder to penetrate, so solutions in that space would be do a software defined perimeter, implement micro-segmentation, perform some basic hygiene. We, and my team, we use the stop stupid phrase there, so no public S3 buckets, no over permission security groups. Every S3 bucket that you create has logging enabled, it's encrypted, those types of things. Using the CIS security benchmarks as much as possible as a compliance stick, making sure that MFA is turned on and your cloud infrastructure accounts.

Steven Lodin:                

The next golden rule area is making IT systems and applications harder to co-opt or harder to pwn. So, encrypt everything at rest, encrypt sensitive data and transmissions in motion. Use DLP where possible. Protect your administrator accounts and privileges.Another one is make those attacks harder to conceal, so ensure that you're getting logging everywhere, including the Cloud provider services. Centralize those to a central bucket and then do security analytics on top of that. Make sure that you're using the tools and techniques above the infrastructure provider to ensure that everything is set up and correctly defined and implemented.

Steven Lodin:                

There's a whole series of tools from multiple different providers in that space. Another is, make the effects of attack and compromise easier to recover from. So, ensure that your forensic tools are all in all your IAAS systems. Ensure that systems and data backups are recoverable. Make sure you do your DR testing. On the governance side, you want to ensure that you've got centralized management of your cloud accounts so that, unbeknownst to you, additional Amazon or Azure accounts are spun up with a company data that you're not aware of. You need to make sure that you integrate existing controls and your governance process into this new cloud environment and develop new and evidence gathering processes. And then another really interesting thing to take advantage of is to provide verification of the environment configurations with a security instrumentation platform. And we can talk more about that later.

Brian Contos:        

Sure. Just such a fantastic list and as you're going through that, I think a lot of that was just good cybersecurity hygiene for your typical on-prem data centers as well as the cloud, S3 buckets of course and things like that excluded. But it's amazing how much the old paradigms, log it, encrypted it, encrypt data at rest, data in transmission. All these things still apply. But a lot of the times I've noticed people when they're migrating to the cloud, there's a lot of assumptions. There's a lot of unknowns. The controls might be poorly configured. They're really not even sure if they're poorly configured or not.

They just have no idea. Which goes back to my first statement, a lot of assumption-based security. You have these undefined, kind of cloud specific regulatory environment issues that you have to deal with at all and changing strategies that might impact your ability to move into the cloud. There's just a lot of stuff, and I know you've been through this a few times, but what are some of the surprises or got you’s or maybe lessons learned from cloud migration?

Steven Lodin:                

Yeah, so as you mentioned, definitely we have experienced some of those “got you” surprises and lessons learned. One of the got you’s that's not readily apparent in your migration to the cloud is that for example, AWS security groups are really not a next generation application aware security firewall. It's really limited in what the options are there and not something that when you hear, Oh, yes, do security groups that solves your problem. It's definitely different. Another example is the load balancers may not have the same features and functionality and programmability that your existing on-prem load balancers have. So, if you're doing a migration and you have customization and your load balancers or SSL for application security related things, you'll lose that capability when you go to the cloud-based load balancers. Another interesting got you is that you hear auto scaling, you hear basically you can react effectively fast, efficiently onsizing, but a lot of the AWS marketplace security solutions that are out there today are not auto scaling capable.

Steven Lodin:                

You don't have to remove your license off of that one, spin up a new version of the marketplace app and relicense that. Not as a flexible and efficient in the cloud, when you think about all the cloud benefits. Some surprises that we've seen, AWS security groups have limits. You can only have so many line items in a security group.That was definitely interesting to us as many people are aware, the networkIDs, IPS, and tap in capability until recently wasn't available so you could lose some of your security stack capabilities like an IPS. Just as we speak today, Amazon is working on the beta version of their network tap in capability and we're working with vendors on doing some early testing on that. Azure has recently as well provided that tap in capabilities, so the stack loss that you have in your security model is gaining traction to get completeness from a regulatory perspective that you're used to today. One of the lessons learned from our side has been that it's difficult to do a cloud migration at the same time you're changing the entire process within your application development teams. In our particular case, we were moving from a waterfall development model into agile and trying to make the migration to the cloud at the same time. A lot of competition for resources and capability scaling issues as we went through that process.

Steven Lodin:        

Another lesson learned is we're integrating with third parties in these cloud environments is that on the third-party level, there's still a lot of immaturity in the cloud environment. So, the first thing they ask for is, I need an asterisk in my permission so that I can do whatever I want as an application. And in a regulated environment, asterisks are red flags. So that was another lesson learned as we went through this process. And in the cloud, there's two real key pieces. Identity means everything and tagging is critical. So, making sure that you've got those solved up front rather than after the fact is important. So those are some of the key pieces that we've learned as we've gone to the cloud. Definitely interesting changes every time. And as you know, the cloud providers are adding a new product, it seems weekly. Okay.

Brian Contos:                

Yeah. And you made a great point there about resources. If you're making that migration, maybe not have other 10 high level projects that you're still working on that are pulling resources away just because of that complexity and all those little got you’s that you mentioned, so it makes a lot of sense. Looking into the future, what's reallyc apturing your attention as it relates to various security topics, cloud or otherwise?

Steven Lodin:                

So, some of the things that are piquing my interest, one is this concept of replacing the Lockheed Martin Cyber Kill Chain model with the new MITRE ATT&CK framework. This appears on my side to be a great method to establish a comprehensive measuring of your coverage in the security stack and demonstrating competency in the security architecture. I know the Verodin is a proponent of this. Can you provide back to us what your thoughts are in this space?

Brian Contos:                

From our side for the Verodin security instrumentation platform or SIP, it's all about removing those assumptions and measuring your effectiveness based on quantifiable metrics instead of guesswork. So, in layman's terms, I want to make sure that that firewall stopping that IPS is detecting the end point, stopping the malware or the SIEMs correlating so on and so forth. So, the tools I bought are actually doing what they're doing. I see SANS, OWASP, Lockheed MITRE ATT&CK and a number of others are as great frameworks that you can go ahead and measure against. I think they all have their value adds. What I do like a particularly about the MITRE side and the end point in the post exploitation is it really says what happens when there is a breakdown, let's say in your endpoint security control and the malicious activity does get past, what's the nextstep?

Brian Contos:                

So, it sort of takes you that next step, which I think is really critical because as we all know, there's no such thing as 100% prevention. We have to augment that with detection and we have to augment detection with response. So that does add a nice framework and certainly for Verodin, for a little plug there, that's something that we like to allow our customers to measure against, to report on and to be able to communicate the effectiveness of other solutions against frameworks like MITRE ATT&CK. So, absolutely. I'm with you. I think I'm seeing MITRE ATT&CK come up more and more. I think it's highly relevant. And I think we're going to just see a more wide-scale adoption of it as the months and years go on.

Steven Lodin:                

Yeah, fully agree. And there's probably some article or quote that says you need to know what your weaknesses are and this is a great platform to measure those.

Brian Contos:                

Yeah, for sure. For sure. So, what do you think about Amazon's future? You said it best, it seems like every week there's a new product or you know, a new solution or service, you're in the middle of this as a consumer of their services. What's your perspective on their future?

Steven Lodin:                

Well, as a recent podcast with Ed Amoroso basically said in his interview with you, it's a no brainer for all small and medium companies to move to the cloud. I continue to see a major shift for applications and infrastructure to move there, too, approaching that 90% range, maybe a pie in the sky. But where this goes after that is it seems to have an impact on the government and the regulatory views regarding monopolistic behavior and critical infrastructure. So, at the rate that they're going in continuing to enhance their model of coverage, I see some potential big changes to Amazon in the next three to five years regarding possibility of segmenting, splitting the company up, and a possibility of declaring Amazon critical infrastructure.

Brian Contos:                

Yeah, very interesting. It's funny you mentioned Ed Amoroso, of course, who led security at AT&T, I don't want to misquote, but I think around three decades, a very, very long time. And, of course, they went through that breakup too because of similar perspectives related to monopolies for the telephony side. So yeah. Very interesting. Thanks for that, Steve. Let's wrap up here. I've got a very, very important question for you. I'd like to ask this to all of our guests. So, Steve, who is your favorite superhero or super villain and why?

Steven Lodin:                

Okay. Am I limited to just Marvel?

Brian Contos:                

No. No. Oh, absolutely not.

Steven Lodin:                

All right. If it was Marvel, I'd have to choose Iron Man. But if I can go anywhere, probably one of my most interesting cartoon superheroes is Race Bannon from Johnny Quest. He was a bad-ass protector, former three letter agency guy, can get his hands dirty, addressing threats and creating ways out of sticky situations.

Brian Contos:                

I love it. I love it. As you can imagine doing this podcast for a while, we've had some overlap, but that's the very first time we've had a Johnny Quest one, I love it. That's cool. Cool stuff. Well, thanks Steve and thanks to our listeners for joining and be sure to check out other cybersecurity tech in this podcast, sponsored by Verodin.

download transcript (PDF)
back to podcasts
Follow:
Subscribe:
join the list
X
Business Need
technology
company
resources
blog