Supply Chain Risk: When Cyber Criminals Attack From Inside Our Applications
Jul 20, 2022 3:00 PM - 4:00 PM EDT
Supply chain security attacks are not going away. Whether there’s a vulnerability embedded in your software or hackers are embedding their own backdoor in third-party software, you want to set a plan in place to protect against it.
Expert threat hunters suggest looking into the behavior of your system. You have to figure out what’s normal, then analyze any behavior that’s out of the ordinary. To determine if the behavior change is actually a security threat, you have to start with a source of truth, look at behavior analytics, and gain visibility into your applications.
In this virtual event, Greg Irwin is joined by Matthew Hathaway, Chief Marketing Officer at TrueFort, to talk about supply chain risk and security. Matthew explains how TrueFort helps companies protect their workload, the benefits of Zero Trust, and how you can detect (and protect against) security threats.
Chief Strategy & Marketing Officer at TrueFort
Matthew Hathaway is the Chief Marketing Officer at TrueFort, a company that protects workloads in legacy and modern environments. Matthew has been in the security industry for 15 years, on a mission to help the technically innovative find the security professionals who stick to their promises. Previously, he was the Vice President of Product Marketing at Imperva and also Carbon Black, Inc., which was acquired by VMware.
Co-Founder, Co-CEO at BWG Strategy LLC
BWG Strategy is a research platform that provides market intelligence through Event Services, Business Development initiatives, and Market Research services. BWG hosts over 1,800 interactive executive strategy sessions (conference calls and in-person forums) annually that allow senior industry professionals across all sectors to debate fundamental business topics with peers, build brand awareness, gather market intelligence, network with customers/suppliers/partners, and pursue business development opportunities.
Chief Strategy & Marketing Officer at TrueFort
Matthew Hathaway is the Chief Marketing Officer at TrueFort, a company that protects workloads in legacy and modern environments. Matthew has been in the security industry for 15 years, on a mission to help the technically innovative find the security professionals who stick to their promises. Previously, he was the Vice President of Product Marketing at Imperva and also Carbon Black, Inc., which was acquired by VMware.
Co-Founder, Co-CEO at BWG Strategy LLC
BWG Strategy is a research platform that provides market intelligence through Event Services, Business Development initiatives, and Market Research services. BWG hosts over 1,800 interactive executive strategy sessions (conference calls and in-person forums) annually that allow senior industry professionals across all sectors to debate fundamental business topics with peers, build brand awareness, gather market intelligence, network with customers/suppliers/partners, and pursue business development opportunities.
Greg Irwin 0:18
Nice to meet everybody. I'm basically a group moderator for a living. I'm one of the partners that BWG we cover lots of topics around cyber, and their discussion forums. So basically, what we do is we'll have a partner and today we have a partner in TrueFort, we're going to talk about supply chain security. But some of what you're going to see is I'm going to go around the group, and I'm going to ask everybody to share share a story. The story might be, here's what I'm doing, the startup story might be, here's what I'm trying to solve. But I'm big believer in the strength of the community. And the fact that people really want to hear about what what's actually happening in other environments. So Matt Hathaway, I'll introduce Matt here in just a moment, is my partner in crime. And he's going to, you know, kind of go through what he's seeing across the environment, we set our topic here around supply chain, and we're going to start there, but y'all can guide us. And we can go in other directions based on on your interests along as it's, you know, too far down a rat hole, I'll pull us back out. Let's use the chat window throughout. So it's really, you know, as people are talking, you can layer on your own questions or comments, it works really well in a forum like this. And then lastly, the sense of community, I want it, I'm going to ask you all to set a goal, which is to make one new contact across this group. It doesn't have to be TrueFort or BWG. But we have a lot of talented people joining today. And it works better when we can when we drive that community. So as we go, you can go direct right through LinkedIn, if you want some help, I'll be happy to help make a connection. I'm not going to be publishing everybody's email address. But you know, take take advantage of the peers that you've got on the line. Alright, let's get right into it. Matt, nice to speak with you. Do us a favor, give a real quick personal intro and then tell us who is TrueFort
Matthew Hathaway 2:30
thanks. Yeah, so Matt Hathaway, I am the CMO at TrueFort. I've been in security for about 15 years, always on the vendor side. But for most of that time, but 10 years, I was building products, and the product management works. And, and I moved over to more to marketing, to help, you know, sales orgs. And, and try and pull the message to what you know, what's more helpful for buyers, as opposed to you know, buzzwords and and what I call Silver Bullet marketing that's so prevalent in security. So that's how I got into marketing, despite being an engineer by training. And, yeah, so TrueFort I joined earlier this year. What I love about what we're doing as a company, is basically the founders ran into an issue after experiencing a breach as many people do. But they went through the major bank, where they were spending over a billion a year on software, and they still couldn't figure out what happened. And what they at its root, what they built was a platform that could explain what is happening inside applications in your data center or cloud at all moments in time, look back at it look at live right now. And what our customers have used it to, to really address is micro segmentation, workload protection, things like File Integrity Monitoring, those sorts of use cases. And that's, that's really what we're focused on growing today. And, and expanding in the next couple of years, quite rapidly. Let's Let's
Greg Irwin 4:10
drive the point. In terms of a customer story, if you would tell us about one customer, maybe maybe its supply chain, maybe it's another use case, but how is one customer getting value out of the platform?
Matthew Hathaway 4:24
Yeah, I mean, it's loosely supply chain. The example that I'm going to talk about real quick is, is really around the log for je vulnerability and somebody saying, Okay, well obviously vulnerability management can't predict where the next phone will be. It doesn't look like malicious code, things like that. But just when those come up and they always will, how do I identify quickly? Where are they where it is within my data center within within my organization, but also how do I kind of For defang that the next time make it so it can't, can't really hurt me in the critical, critical applications and reach my critical data, right? Like how do I segment and protect against, you know, other parts of the of the, of the data center being breached. And so their first approach was was, you know, of course, to address the blog for J itself, but then say, okay, we won't know where the next one is going to be. So let's try and isolate all of the different applications from one another. So starting with the critical, or most critical app, or crown jewels, and then move from there, and, and again, everybody knows more will come. It doesn't stop a backdoor from happening, but making it so you know, you minimize the blast radius is what they feel like they were able to accomplish.
Greg Irwin 5:54
Let's do this. Let's dig in a little bit. I have some follow up, I want to do with you. But I'm going to first invite everybody here on the line to share with us one question you've got not necessarily for Matt, it could be for your peers, it could be for the others on the group. But we're talking about TrueFort, and we're talking about supply chain security risks. Do me a favor, everybody dropped into the chat, one question you've got for either your peers or TrueFort. And that'll help us focus and make sure that this session is going to be useful and valuable for everybody. I met let's talk a little bit about supply chain supply chain security, I think we understand it, I think it would be really nice to hear in in kind of practical terms. How big a risk? Is it really? How often are threads coming through in terms of supply chain risks? And, you know, are we is it really growing as a as part of the attack surface? Or are we just hearing about, you know, one or two attacks, and they're getting a lot of attention?
Matthew Hathaway 7:02
Yeah, I mean, I think what we've seen, at least from the news, in the last few years is, if it's not growing, it's a steady cadence, right? It's not, it's not going to go away. But you know, depending on what exactly it is, whether it's just the vulnerability in software embedded everywhere, like the example I just gave, or it's somebody compromising a GitHub repository, and actually embedding their own backdoor in third party software, those are very different risks, and very different likelihood. And you're probably going to see a lot of, you know, with the amount of open source software and in the amount of the amount of efficiency it brings to a development team, you're never going to see it really diminish the vulnerability example, I should say, the other one's probably going to be a lot less often, right? But like SolarWinds is an example. Those are going to be less than less frequent. There's a lot of work a lot of time, a lot of investment that goes into something like that. Those are the sorts of things that you have to protect against, but don't expect to you shouldn't expect to hit your organization. It's more the vulnerability example, the the unintentional backdoor. That's discovered. Got it? Got it.
Greg Irwin 8:22
All right, Dan, and Brian gold stars. Thank you both. Everyone else, do me a favor drop a question. Or it could be a broader topic that you'd like to be discussed here. Let's keep going a little bit more with that. backdoors? Is it you know, are most of these vulnerabilities really caused by backdoors?
Matthew Hathaway 8:45
It's, I think it's usually the opposite is that the reason I'm fascinated by the log for J. Occurrence was when they started to dig into it, you know, it's an open source library that was maintained by two engineers in their spare time, right? Like, you can't blame them. And so when they pushed a release, and it had a vulnerability in it, who do you go to? How do you how do you correct that? How do you avoid that in the future, and those are those sorts of tools that are extremely valuable, are in use across organizations all the time. So that was in no way an intentional backdoor that was not caught. It was caused by you know, every piece of software has vulnerabilities from time to time. And that's why there's a patching process and release in Patch Tuesday from Microsoft, everybody acknowledges their software will have vulnerabilities and those those sorts of open source and other third party tools that are embedded in your software or your server or some other part of the data center. Those are those are much more common, they're much probably less, less commonly exploited. Because you know, you have to find them and keep it secret long enough, but those those are a lot more common than a backdoor backdoors. It takes a lot of plotting and thinking through and stealing a developer's credentials or some other method, and then embedding it and then waiting until it's, you know, released to the world and didn't get discovered in the process. That is there
Greg Irwin 10:19
any concern in terms of where you're sourcing? Your your software?
Matthew Hathaway 10:25
I mean, when it comes to the public cloud, I haven't heard of anything. I've never heard of an example of, you know, getting either malicious access and malicious software through it. It's not like an app store, right for our for consumer devices. But I mean, theoretically, that any anything could be a target point. I just, I haven't personally heard of an example.
Greg Irwin 10:46
How productive how effective can you be in threat, threat hunting, to find true vulnerabilities, and basically close off real risks? open question, Matt. I'm happy to go to you. But, Dan, I have a hunch that you have an opinion on that, as do some others. So let's spend a couple minutes on this one. Matt? Matt, why don't you go
Matthew Hathaway 11:07
first? Yeah, so, um, I've worked directly with some really seasoned threat hunters. And what they generally say is the most important thing to find is what's normal? What normally happens? And when does that change? And it can be explained simply by Hey, we pushed a new version of software. And that's, that's fine. This this behavior change, but they always pull that thread. And they did absolutely say the unknown unknown, like you there's no, there's no indicators of compromise for this kind of exploit. There's no, there's no identified behavior out there. So you start to say, why did this new behavior occur? What caused it? Is this a risk? So lots of times they would come up with all right, this is a miscommunication. This is a mis configuration, we shouldn't allow the system to do that anymore. It might not have been an attack, but there is value beyond just discovering a sophisticated attack when when when doing threat hunting. It isn't investment though. So it has to be weighed. In every org,
Greg Irwin 12:15
leveraging CrowdStrike agents with TrueFort. Maybe, Matt, maybe we go back to Matt, and just explain. How does that work? How does? What's that partnership between TrueFort and CrowdStrike?
Matthew Hathaway 12:30
Yeah, so thanks for asking that, that we've really seen that there are two big barriers and a lot of organizations to to adopting microsegmentation, as it's been heavily pushed by either zero trust standards for or insurance providers for cyber insurance. And one of those is most of the solutions today require an agent. And the other is, is that, you know, how do I get started? How do I how do I get this up and running for a POV when it you know, seems like it needs to be everywhere in my environment. And so what we take advantage of is if you have CrowdStrike, and other EDR agents already installed, we can actually use those for telemetry and not need to install another agent, which speeds up deployment and makes it so you can prove prove our value very quickly, like in a couple of weeks. And the other thing is that you can just use that to start on just your most critical application, you can get that quick win, and not need to not need to get everywhere to see if it works, you can start to start just in one place. And and then we can push all of the blocking rules to truly segment to the host firewall through the CrowdStrike agent still not needing to augment that at all. So that's our relationship with with CrowdStrike. And we've seen it really speed up how quickly people can evaluate and our customers come on board CrowdStrike, we're on their store. But it's not specific to CrowdStrike, we actually have one customer who has their own reasons, they're very large and spent a lot of money to do that. I would never suggest that. But they had their own agents that we showed them as long as we have access to their data lake, that we can do the same sort of thing. We just need something on board that we could push those post firewall rules to if they want to go to enforcement, but some start with just telemetry and that's enough to prove our value. It is not limited just to CrowdStrike.
Greg Irwin 14:40
How is it actually consumed Matt? Like does this who ends up with the data evaluating the data and you know, in tracking kind of the the information that TrueFort's presenting?
Matthew Hathaway 14:52
It's a great question. And I think it's not the same answer in every company from what we've seen with our custom miRBase, right, because there's the the balance between the application owners who don't want anything lowering efficiency in the data centre. They don't want anything new installed. But they also have trouble knowing in runtime, what's what's running. So they're involved in the project. And then the security team is the ones heavily most heavily pushing for the project. But the question becomes like, who owns this? Who owns saying, yes, the enforcement, we can start to move to enforcement mode, we can block traffic, as long as the two teams can have the same visibility. And it's different in every org, some, some organizations have a cloud security team who managed it all. And some have just decided not to go with a segmented cloud security team. And it's owned by the traditional interested information security.
Greg Irwin 15:48
Are you pushing under Device rules? Or is it based on groups of devices? I've got to say, I'm a little confused by the question, but man, I
Matthew Hathaway 15:57
think you got I think I understand that. Yeah, it's a great question. So the the main thing that we strove to do when building the platform was never require you to know an IP address. And that's a part of like, per device. All Devices have their unique identifiers. But when when we want to support, you know, more ephemeral assets, like containers, or even virtual machines that live a day, what we determined was we needed a profiling means to say, let's apply tags to all of the different workloads that do specific jobs within an application. And the rules are pushed to that tag. And so you could have to have one type of asset that has the rules, or you could push it to 1000 that are same. It's really just up to how things are tagged and profiled to avoid that kind of, hey, this, you know, that thing only lived a day? Why would we want that? How could we ever possibly manage that? And that's where a lot of the automation comes in of, yes, we're using the Windows Firewall or the Linux firewall. But those are all IP tables, we extract that from you. So that IP is changed devices change, they have their profile, they have their their tags, and will maintain those rules on the platform itself.
Greg Irwin 17:19
Hmm. No, man, it's interesting that it's come up quite a quite a lot here in terms of third party risk management. When I think of TrueFort, I mentioned in my free call, I think of you guys as microset. You guys, you know, you have visibility about what an application is doing and how far it's reaching. How do you fit and play with third party risk to kind of solve this problem around supply chain with, you know, multiple, multiple vectors?
Matthew Hathaway 17:48
Yeah, I mean, as long as you're talking specifically about software supply chain, and the, in some of the I hadn't heard the term before, but like fourth party, what platforms they leverage that Samir said, that, that is an area that as a solution. microsegmentation as a category, I should say, helps you with the rest, it doesn't assess the risk, right? It's not what we TrueFort it is going to provide you we can't tell you, you know, whether the trust of vendor or software, but giving that visibility of what it does every day, and allowing you to set rules to say don't allow this piece of software or this application as a whole to ever communicate with, you know, with with your critical applications can do a lot to isolate, right, somebody gets in somebody compromises exploit a backdoor, but they can't move on from the server they accessed. That's how you mitigate the risk. Again, we're not going to identify it, we're not going to say hey, don't ever trust that. But we can help you make sure it stays where that initial compromise happened and doesn't spread.
Greg Irwin 18:58
So that's cool. You can basically set a ring fence around around people
Matthew Hathaway 19:03
use that term for Yeah, for for micro segmentation. Some people call it a micro perimeter. Honestly, all of the terms are kind of fairly new in the last few years. And nobody's agreed on which one's the best but, but it is really saying like, you can completely isolate an application, you can isolate two servers that only this, you know, only this workload communicates with that database, or you can you know, much more realistically set so they'll their standards of, you know, your high traffic applications that aren't storing sensitive data. You don't want those accessing the crown jewel apps.
Greg Irwin 19:45
All right, Matt, you've heard two organizations that have started down what what do you see as the challenges and we talk successes too. I mean, there's we're doing this for a reason there's a reason to go Zero Trust so outweighs Some of the challenges and some of the benefits.
Matthew Hathaway 20:03
Yeah, I mean, it's not a new concept, of course, right that I think the term was probably even coined eight years ago, to micro segment network segmentation itself is much older. But from what we've run into, and what we, I've heard from our customers, the biggest challenge for a long time was the only way to do it was with, you know, try with firewalls, and traditional firewalls or nection firewalls. And there's just so little context that like mitten identified there, there. There's some devices that communicate with everything. But if you have no idea what that communication is, what frequency is no, should we allow it? You can't take a lot of network traffic and go to an application team and say, Hey, is this necessary? Because they don't know they? They wrote the code, it's in production. They don't fully know, they're not allowed to log into production, right. They don't fully know what it does all the time in the in the real world. And so it's it's more of that, it goes back to what I said at the beginning of understanding what is normal, and getting that agreement, and that that visibility to the application team and security team to say, here's what we are just have to go go into except what we can identify with, like what commands were run. So some, if you have a network scanner run every Sunday night, you should at least be able to see what what it ran, you know what it communicated to every single system, right? But what did it run is that the same thing that ran a week ago, where you suddenly don't see that scanner, reaching out to 10 devices on Tuesday, those sorts of predictability. Obviously, time isn't everything, but a lot of automation in the cloud. And data center is predictable, unlike people. So it at least helps you get enough context to, to roll it out where you can. And again, it's it's an additive capability. Nothing solves everything. But But getting that context of which users run which commands and cause what network connections on a day to day basis. And each week, and each month, is the way that we've seen success of saying, okay, we can all agree, some of these things, we still have questions of, there'll be new connections next week, we'll all we can all start to review. But at least having that baseline as trusted and to be able to, you know, find an anomaly that a threat hunter can track down or your MDR service or whomever and say like this is out of the ordinary. Is it a is it an incident? Or is it just a new change to the applications. That's that's the real way that a lot of people will stay in visibility mode. Because you know, all the concerns about going into enforcement. So it may not be you may all be confident in the first month, but still say we're gonna wait to month five before we truly turn on blocking. All of that has to be juggled and weighed against the risk. But it all starts with that that source of truth and what's normal?
Greg Irwin 23:10
Can we talk cloud for a second? Because all of this works well, in my mind around VLANs and east west traffic for an on prem network. But what about cloud? And you know, devolve these same ideals of Zero Trust and micro sec? How do they carry over what what what changes when you start talking about, you know, cloud platforms?
Matthew Hathaway 23:30
I assume you mean Azure, AWS like that, right?
Greg Irwin 23:36
Yeah. Yeah. Public Cloud Hyper V. Hyper scalars. Yeah.
Matthew Hathaway 23:40
Yeah. I mean, from what we've seen, the overall concept doesn't change. But what tooling is there, what software is there, what comes from AWS or Azure versus what you bring yourself to the data center, they're all very different. But we've actually had some customers who they just, they couldn't comfortably migrate to the cloud, they were doing a lift and shift. They actually were trying not to change too much of the overall behavior of applications. But they still, it failed the first couple of times, they tried to move from their data center to the cloud. And they had to go back to that same sort of what do these things do every day? How do these applications run, and then they could do their best to mimic it in the cloud and make it operate. But if there is new tooling, right, and east west traffic to your point, you probably have a very different view of traffic. You're probably leveraging firewall or at least network telemetry from the cloud provider as opposed to embedding your own. But the concepts are the same. It's just you know, what, what you have access to versus what, you know, you found inefficiency and didn't want to manage networking and manage servers, things like that.
Greg Irwin 24:52
Matt, take us home. What's our closing comment for the group?
Matthew Hathaway 24:56
I really enjoyed the conversation. I'm glad to have so many people involve thanks for for joining. And I, I, myself struggle to trust since years ago, the definition how it keeps changing. I highly recommend taking a look at this, NIST has defined it. There's a Department of Defense's Zero Trust reference architecture concepts are, they're big, but they're, you know, they've been at least defined to a point where I think we can keep moving forward and microsegmentation somebody said it in chat. It's just one piece of it. It's, it's been the hardest piece, but we've seen a lot of success in the last couple of years. And, and, and, you know, that's, that's why I think Zero Trust and micro sag are are moving forward, people are continuing to implement and they see how it, how it protects against supply chain risk, but also other other lateral movement, other concerns. But you know, it has to fit into your overall plan. It's not, it's not a standalone silver bullet, as we said earlier.
Greg Irwin 26:04
Well, Matt, Matt, and Olivia, thank you very much the whole team and TrueFort and thank you all for joining and particularly contributing some good thoughts. Appreciate it. Stay a part of the community and I look forward to speaking with everybody on a future call. Thanks, everybody. Bye bye.