Techstrong TV: How to Prepare for Highly Destructive Malware
With cyberattacks on the rise with Microsoft’s warning of a highly destructive form of malware in Ukraine and White Rabbit being linked to FIN8, Tim Van Ash, Sr. VP of Product and Technology at AutoRABIT, and Charlene discuss how to best prepare for malware and future cyberattacks on the horizon. The video is below followed by a transcript of the conversation.
Charlene O’Hanlon: Hey, everybody. Welcome back to Tech Strong TV. I’m Charlene O’Hanlon and I’m here now with Van Ash, who is the VP of Products at AutoRABIT. Tim, thank you so much for taking a few minutes and talking with me today. I do appreciate it.
Tim Van Ash: It’s a pleasure, Charlene. Excited to be here.
O’Hanlon: Oh, well, I’m so excited that you’re here as well. And I want to talk to you a little bit about some of the issues that have kind of crept up with cloud platforms and security and so many different things related to what we’re seeing these days in the cybersecurity space. But first I wonder if you can introduce us to AutoRABIT.
Van Ash: Yeah. AutoRABIT is the DevSecOps leader to the Salesforce. And we specialize in protecting and assuring regulated industries, so finance, insurance, healthcare, but anyone that has strong compliance requirements.
O’Hanlon: All right. Great. So I imagine you are seeing a lot of what’s been happening from a cybersecurity perspective as it relates to platforms such as the Salesforce platforms. We’ve been hearing a lot about what has been happening over in the Ukraine, and FIN8 White Rabbit, there’s a lot of stuff happening with malware. I wonder if you can kind of talk me through what has been happening out there and how Microsoft is involved. And then maybe we can kind of talk to the larger issue of security with regards to these platforms.
Van Ash: Yeah, would love to. I mean if we look at what’s happening in Ukraine, and the reality is we’ve had quite the two-month period. You know, starting in December we logged. But what happened in Ukraine is they were deliberately targeted with malware that locked the disks of the system, so it prompted the main boot record. Microsoft, you know, through their Defender product picked that up and it was their security research team who really published the first deep insights around the issue.
But I think the bigger issue in all of this is the supply chains we all face around application development today and how they’re at risk. You know, if we look at what we often see in the Salesforce environment. There’s a number of blind spots that people just aren’t aware of because they’re assuming that the providers are going to take responsibility for that, and in reality they don’t; it’s up to the customer.
O’Hanlon: So we’ve been hearing a lot about software supply chain security and this emerging idea of a software bill of materials with the application development. Is this something different than those conversations? Is this a different type of cybersecurity threat or blindspot, if you will?
Van Ash: It is, because when we think of malware we often think of an infected web pages or web applications and things. And that’s where that aspect of the supply chain comes into play. But there’s another aspect of it, particularly in environment-type Salesforce, where you’re not just talking about code and data; you’re talking about files. And in those files – and one of the things we see from time to time that’s not only a DevSecOps provider, but a data protection provider, is that they’re infected with malware that no one’s aware of.
O’Hanlon: And so what is it that organizations and individuals can do? Because this sounds like this malware is so embedded in the files that it’s not anything that is readily – you know, it’s not noticeable immediately and folks probably don’t even realize that they are infected until it’s too late. So what is it that organizations and people can really look out for? What steps can they take to kind of lock down their systems or at least make sure they’re not going to be the next victim?
Van Ash: Yeah, that’s the right question, because platforms like Salesforce not only impact your customers or your B2C relationships; they impact your B2B relationships, well, as you’re leveraging the intranets and the like. So there’s really multiple steps that organizations need to think about, and it starts with an obvious, but something that organizations have somewhat forgotten, particularly as we’ve all been working from home over the last couple of years. And it starts with endpoint protection, having good antivirus and malware scanning capabilities on the endpoint devices, whether that be laptops, phones, and other devices such as tablets. Because it’s really at the consumer level that these things represent the greatest risk, but that’s also where they’re being distributed.
The other aspect in Salesforce – so Salesforce invests a tremendous amount around security and compliance. But they don’t have virus and malware scanning for all attachments. But they are available from third parties on the app exchange. So you can both put gain point protection on your desktops as well as putting malware and virus scanning on your organization by going with one of the managed packages in the app exchange.
The third step that people should be thinking about is before they make those files available. Because those app exchange apps take some time to do that scanning, is to quarantine those files before they’re made publicly available. And whether that’s storing that in some sort of secure area and then making it available on the actual system, whether it’s encrypting it until such time as you’ve been able to verify who the followers claim.
But the fourth aspect, and this is where we come in quite a lot, is when we’re looking at backups and recovery, we not only scan our customers’ backup files, but we quarantine and clean them and we see every so often now we’re coming through that way and we’re able to notify our customers of those incidents occurring. But it really speaks to the broader supply chain. So you’re not just talking about the supply chain, you’re also taking about disaster recovery. You know, we were talking about the Ukraine and it being similar to what we’re seeing over there; there’s very little that those endpoints are being able to do because the master boot record was corrupted. So the only way to really bring those systems back is from a full backup. And this is where AutoRABIT can help customers manage these issues in addition to have best-in-class DevSecOps to ensure and decode before it goes into production.
O’Hanlon: So one of the things that I’ve been kind of wondering about a lot lately is because over the last year, year and a half or so, we’ve seen this huge rise of low-code platforms, low-code development platforms and no-code platforms. And on the surface it sounds like a really great thing, but all of a sudden we’ve got this entire population of citizen developers that might not be as well-versed in understanding the security around applications that are being created. And I wonder if you’re seeing an increase in issues related to low-code development platforms and no-code development platforms that are inadvertently introducing compromised security or maybe a code that hasn’t been scrubbed and actually does have a vulnerability in it. Is that something that you guys have seen? I mean obviously you’re working with Salesforce most often, but certain Salesforce in and of itself I believe considers itself to be a low-code platform.
So what are you guys seeing in that space?
Van Ash: Yeah, that’s a great question. The recent Log4j firestorm that we had in December is a perfect example of this issue, because often the no-code or low-code providers are based on various open source or third-party packages to get them to market and to expose different capabilities. And whether it’s leveraging UI frameworks like React or Angular, all of these can have hidden vulnerabilities that the vendors themselves are likely not aware of. I mean if you look at Log4j it took Salesforce I think three weeks to respond to that issue because it was so pervasive throughout their infrastructure, and just about every major line of business in Salesforce was impacted by that too, more or less a degree. Because it was in the depths of the application platform itself.
So it’s these hidden risks and being able to assess for those. I mean as soon as that disclosure occurred in December we saw a flood of security questionnaires coming from customers about how you impacted – you know, for our own platform we take a defense in it. So fortunately we were able to mitigate and prevent any risks there. That’s not the case for a lot of organizations.
So one of the things that I would sort of stress is ensuring that the pipeline you’re adopting is thoroughly audited, meeting sort of various standards, whether it be ISO27001, SOC, HIPAA, PCI. Because all of those things not only give you a level of assurance, but often organizations forget that it’s not just the platform, it’s the people and the processes that support you in these no-code environments. So you really need to manage your risk and model those risks across all three potential attack vectors.
But for us, when we start with those areas in Salesforce we emphasize starting with static code analysis of your existing organization so that you can establish what is your tech that you already have in place? What are the risks that you didn’t know that you already had? And then identifying those risks, providing the mitigations and the actions that you need to take based on the level of severity and then cleaning up your org, but then making that part of your development process so that you’re assuring at the time the developer is writing the code that they are able to implement this process, but they’re not using libraries that have known vulnerabilities, known issues.
So it really is all about shifting left to ensure that developers don’t get to the final minute of release and then discover you’ve got a problem, or worse, find it in production.
O’Hanlon: Do you think that organizations as a whole are more cybersecurity-aware, if you will, they’re more kind of highly attuned to security risks in general and quicker to react when there is a malware that is discovered? Do you think that we’re getting better at it, I guess is the best way to say it?
Van Ash: I think we are. But I think the organization’s abilities to actually do the risk assessment to their organization, we still see a lot of sort of panicked responses.
But if I look back to December of 2020, when SolarWinds really became visible, it took organizations probably two or three weeks before we started to see security questionnaires and looking at how did they respond. If you look at Log4j we had those security questionnaires the following Monday. So I think organizations are starting to grasp these issues. Their ability to do that risk assessment is significantly better than it was 12 months ago. But we still see the “If in doubt, panic.”
O’Hanlon: Right. [Laughs] That’s my motto. No, I’m kidding. [Laughs]
Well, you know, I guess in one sense that’s actually very heartening to hear, that organizations are being more responsive to the threats as they come down, and just trying better to understand what their response should be and how they might be impacted and that that level will be. But at the same time, you know, obviously just the fact that we have to do it is obviously not the best thing in the world. But the cyber threats always seem to stay one step ahead of us. And I’m not sure that’s ever going to change, but at least we’re getting better at and, you know, one of these days we’ll be proactive rather than reactive, but at least for now our response times are quicker, it sound like.
Van Ash: They are. And there’s one other observation around the Log4j, was organizations were more focused on understanding what’s high-risk in their partners and their partners’ partners. So they are thinking more broadly around where those risks are coming from, so they really understand potential exposure.
O’Hanlon: Yeah. Well, that’s something, I guess. [Laughs]
Tim, thanks so much for having the conversation with me; I really do appreciate it. I think as we move farther into 2020 we’re going to be seeing more of texts like those that have come out of the Ukraine. And I think things are going to get really messy, but I think we’re – to your point we’re hopefully doing a better job at responding to those threats as they come down, so hopefully there will be minimal risk of exposure or a minimal impact from the exposure.
So thank you again for having the conversation with me. I do appreciate it.
Van Ash: Thank you for having me.
O’Hanlon: All right, everybody, please stick around. We’ve got lots more Tech Strong TV coming up, so stay tuned.
