CISO Approaches to Human Attack Surface Protection Amidst Budget Cuts | Matt Polak and Jeff Farinich

Interested in sponsoring an episode like this with your target buyer?

→ Reserve your sponsorship here. ($2,575)

Exposed PII about each of us out there becomes the fuel for the threat actor to be able to gain initial access.

The human factor is an area that we definitely need to focus on more because it is being targeted much harder than in the past.

Impersonation appears to be a big problem, especially when the communication channel never touches the controls where you have any way to block it.

Also the bigger problem than your employees is educating the consumers. A lot of times they are not familiar with security measures: their home computers are compromised and they click on a lot of things. 

The root cause of the problem is open-source intelligence about your humans. 

Even though blocking emails and suspicious domains are also the elements of the solution, if we don't go back to find a root cause, we’re an easy target.

Brutally honest insights from Jeff Farinich, SVP Technology and Chief Information Security Officer of New American Funding and Matt Polak, Founder & CEO of Picnic Corporation.

Guests at a Glance

💡 Name: Jeff Farinich and Matt Polak

💡 What they do: Jeff is currently the Chief Information Security Officer at New American Funding and Matt is currently the Founder & CEO of Picnic Corporation.

Jeff Farinich has been in IT and security for over 25 years, but he also has a business and accounting background. Nowadays, his role is the SVP of technology services and the CISO at New American Funding. He has been there for over 3,5 years. Jeff thinks that security has become more important and much more front and center lately.

Matt Polak is the CEO and founder of Picnic Corporation. He’s really passionate about the problem of human attack surface protection. He wants to bring some of the attacker's mindset to defenders and to help people that are thinking how to actually make people and organizations safer.

💡 Where to find them: Jeff and Matt 

What is human attack surface protection? A short overview.

Human Attack Surface Protection can be understood as safeguarding personal information that could potentially be exploited in a cyberattack. 

Matt took us on a trip down memory lane. When he and his team first started addressing this issue around late 2018 and early 2019, he reached out to a wide network of people from the intelligence community, including red teamers and folks that are black hats, gray hats, white hats. 

They were on a mission to understand the precursor events to a cyberattack.  

So, they delved deep, taking personal profiles and asked these experts, "How would you initiate an attack on them? What would be your starting point? What kind of information would you seek?"

As they began to dissect the results of this exercise, they found intriguing patterns.

Surprisingly, or not, the principal data source for threat actors planning a human-centered attack is LinkedIn. 

Typically, these bad actors would use LinkedIn as a stepping stone to data brokers like MyLife, Spokeo, Intellius, and various background check providers. 

These entities trade data like a commodity, dealing in sensitive information such as family details, personal emails, and cell phone numbers. 

Armed with such data, threat actors can pivot towards a multitude of resources, such as the dark web and stolen credentials, which essentially serve as the foundation for their attacks.

So, when we talk about the human attack surface, we're discussing the exposed personally identifiable information (PII) about each of us.

It's this available data that becomes the fuel for the threat actor to gain initial access. 

If you're familiar with the MITRE framework, you might think of it as everything that falls on the left of the initial access stage. 

Therefore, protecting this human attack surface is crucial to minimize the potential of personal data being exploited in cyberattacks.

How do you secure the human layer in a challenging environment?

Securing the human layer in a complex environment can seem daunting, but there are several key tactics and approaches to consider. 

Let's use the mortgage industry as an example, as outlined by Jeff, a seasoned professional in the field. Unlike banks, mortgage companies have no depository funds, offering a unique advantage as there's no immediate cash for hackers to pilfer.

To begin with, the regulation of personally identifiable information (PII) is paramount. Operational integrity is another significant aspect. It aims to minimize downtime, which can present opportunities for cyberattacks. 

Keeping stringent controls on common conduits for attacks such as emails, thumb drives, and web access is part of this integrity.

Employing strong web filtering and data loss prevention (DLP) tactics are crucial to prevent personal information from being siphoned off. Implementing robust authentication measures is another critical step. 

However, it's essential to understand that multi-factor authentication (MFA), contrary to popular opinion, has its flaws. For instance, there's a significant risk associated with session identity tokens being stolen from the browser.

In recent times, there has been a drive to transition the workforce to a passwordless system and to use passkeys for consumers. Under this system, the device becomes an integral part of the authentication process. 

Another growing trend is the use of enterprise browsers, which are increasingly becoming the primary workspace for the modern professional.

Preventing the use of corporate credentials on non-corporate websites is another measure that can contribute to securing the human layer. 

Social engineering: Do CISOs worry more about impersonation or direct spear phishing? 

While he acknowledges the significant threat posed by spear phishing, especially via emails, Jeff affirms that in recent years, they've managed to gain substantial control over this issue. 

The secret to their success lies in a dual-layer strategy that focuses on robust email security.

Interestingly, Jeff highlights impersonation as a more considerable problem, especially when the communication channel circumvents any control mechanisms that could potentially block it. 

He points out that employees themselves may alert the company to an impersonation attempt, yet there's still a substantial gap due to the inherent difficulty in preventing these incidents.

He also sheds light on 'smishing' (phishing attempts through SMS), which poses another significant challenge. 

Much like impersonation, smishing also bypasses typical control planes, making it a particularly hard issue to tackle.

Jeff emphasizes the importance of managing the attack surface - all the assets visible from the perimeter. Without a comprehensive understanding of this landscape and a strategy to address the gaps, organizations expose themselves to easy exploitation.

When it comes to preventing impersonation, Jeff underscores a few key strategies. Establishing robust email controls, including setting up accurate 'PF' (sender policy framework) records and limiting the ability for external parties to send emails on your behalf, is crucial. 

Moreover, ensuring that any outgoing emails are directed through your control mechanisms can help reduce the risk of impersonation. 

What if we could know where the targets are?

The idea of knowing where potential targets are can be an enticing prospect in the battle against social engineering. 

Jeff believes that if he could pinpoint which employees are more susceptible to impersonation schemes, it could be beneficial. 

However, he also recognizes that targeting patterns shift over time: if an attack doesn't yield results, attackers tend to move on to the next target. 

Despite this, if there was any indication that a greater number of his staff were at risk, he would, of course, take steps to prioritize their protection.

One of the essential aspects Jeff highlights is understanding the confidence level of an application. To safeguard personally identifiable information (PII), he opts to block any such data from reaching unsanctioned apps. 

He sees limited use cases for browser isolation as it is effective only if the website in question is uncategorized. He firmly believes that enterprise browsers are a vision of the future.

In addition, Matt shares an interesting approach. His clients are using an attack index, which lists the individuals most targeted in attacks. 

By focusing their efforts and minimizing the human attack surface for those on this list, they've seen a reduction in the number of attacks against these high-risk individuals. 

This demonstrates that knowing potential targets and directing protective measures towards them can be an effective strategy in mitigating social engineering risks.

Is there another angle of seeing the whole identity?

Jeff highlights the potential value of having more visibility into an employee's social profile beyond just LinkedIn.

Dark web monitoring, as Jeff suggests, is crucial to understanding potential exposure from credential breaches. However, he also cautions that false positives are a common occurrence. 

While this may complicate the analysis, it doesn't diminish the value of such monitoring.

Matt offers another perspective, highlighting the stark difference in the volume of exposed breaches between work and personal identities. 

He notes that the likelihood of a breach associated with a work identity is approximately nine times higher than with a personal one. 

This disparity means that threat actors have access to an exponentially larger amount of data when they consider an individual's entire digital identity.

Jeff mentions that Identity Threat Detection Response (ITDR) is a significant area of focus for his work. 

It involves enhancing the signals from the active directory to the identity provider and through Software-as-a-Service (SaaS) platforms.

Looking ahead, Jeff sees potential in expanding his strategies to incorporate more social media profile information. 

He also expresses interest in finding ways to inform users about their attack surface. 

A Valuable Message to End Users

Jeff discusses the practice of monitoring personal credentials that may be compromised in a dark web breach. 

If such a breach is detected, he advises the individual to change their password promptly. 

Beyond this, he also emphasizes the importance of understanding one's personal PII (personally identifiable information) and suggests that users be informed about any exposure so they can take appropriate action.

Matt speaks about automated correlation of identities. His team can identify a user's work and personal identities, cross-reference them, search for credentials, and then work towards blocking any potential threats within the existing infrastructure. 

This approach allows them to proactively tackle potential cyber threats while also informing and empowering users about their personal cybersecurity. 

What are Jeff’s barriers to success when trying to solve for human attack surface protection?

Jeff notes one particular hurdle: the sheer volume of data generated from various signals in a cybersecurity context. This information overload can make it difficult to discern valuable insights and take meaningful action.

To counteract this issue, Jeff turns to behavior analytics, an approach he believes can simplify the task for security operations centers (SOCs). 

By focusing on behavior patterns, SOCs can more easily identify which users may require attention or pose a potential issue, thereby enhancing their ability to protect against threats. 

However, implementing behavior analytics at scale and maintaining its effectiveness amid a rapidly changing threat landscape remains a considerable challenge.

How does Jeff think about justifying spend for new solutions in new areas like human attack surface protection?

In managing the human attack surface protection, Jeff grapples with the challenge of justifying the spend for new solutions in an environment of increasing cost constraints. 

These constraints began around the first quarter of the previous year when rates started to rise, subsequently halving the origination volume for mortgages and affecting overall income.

These financial pressures necessitated a rigorous examination of the value of investments and renewals in existing controls.

It even led to the unfortunate necessity of cutting some vendors. Jeff underscores the importance of rationalization in this process: assessing the value a tool brings and whether the level of risk in a gap can be tolerated.

Jeff also highlights a significant push towards consolidation, favoring versatile platforms from fewer vendors that can offer broader capabilities without leaving gaps. However, he recognizes the need for specific point solutions to address gaps that few vendors can cover.

For Jeff, building the case for new investments is a matter of identifying the risks and drawing on his compliance-driven perspective. 

He operates within the financial sector and handles a lot of personal identifiable information (PII), subjecting him to various regulations like California's CPA A, the CIS 18 controls, the FTC safeguards, and the New York Department of Financial Services' stringent regulation.

Jeff points out that these regulations not only mandate certain controls but also impose penalties for breaches and lack of controls. He notes instances where companies were fined heavily, even when the controls were in place, if they were exploited or not effective.

Accordingly, he believes it's essential to go beyond just ticking off the checkboxes and instead, focus on the effectiveness and maturity level of the controls. All the measures related to security are tied back to the controls they aim to meet. 

By explaining these requirements to leadership, he aims to justify the necessity of new investments for improving human attack surface protection.

Jeff’s bleeding neck challenge right now

One of the principal challenges faced by professionals in the cybersecurity field, like Jeff, is dealing with diverse privacy regulations across different jurisdictions. 

Operating in a country with 48 states, each having distinct privacy laws, can be particularly challenging. This issue is especially prevalent among nationwide financial companies due to the lack of a unified federal privacy law.

Another critical concern Jeff highlights is the handling of personally identifiable information (PII), as ransomware and data exfiltration incidents continue to rise. 

The threat actors are growing more audacious and determined, not only aiming to gain access to systems but also resorting to various tactics to provoke payment.

They have been observed to expose company records, voicemails, and even video conferencing sessions. 

In some instances, they've publicly contested the accuracy of breach reports filed with the SEC by the targeted company, sharing their version of events to apply additional pressure. 

This aggressive behavior underscores the evolving and increasingly hostile threat landscape, making the task of securing the human attack surface even more challenging.

Matt’s bleeding neck challenge

In the complex cybersecurity landscape, the human factor is often identified as the most challenging issue to address. 

While significant investments are made in security awareness training, incident response programs, and various controls, there's a common sentiment among organizations that they're not effectively solving the problem. The individuals prone to clicking on malicious links continue to do so, and efforts to clean up executive digital footprints outside the security perimeter prove arduous and costly.

The solution lies in shifting from a reactive stance, focusing on detection and response, to a preventive approach, which can mitigate the volume of inbound attacks and reduce the number of alerts flooding the Security Operations Center (SOC). 

To achieve this, the creation of innovative solutions that deviate from the traditional security mindset is crucial.

The challenge is in linking this non-traditional security approach to established programs, which, while already effective in their own right, could be significantly enhanced by integrating predictive and preventive measures. 

There's a need to understand how to intelligently articulate this potential benefit and demonstrate the value it can bring to existing security programs.

Adopting the right language to describe this issue is critical, given the complex and evolving nature of the threat landscape. 

Understanding the perspective of those working directly in these roles, like Jeff, can help frame the problem more effectively and highlight the potential of innovative solutions in protecting the human attack surface.

Shifting from Control-Based Measures to Prevention-Focused Strategies

The disparity in focus between controls and prevention in many companies could be attributed to the traditional approach towards cybersecurity. 

Typically, organizations try to solve problems reactively, placing emphasis on setting up controls and blocking threats with various pieces of technology, rather than preventing attacks from happening in the first place.

Matt explains that the difference lies in perspective: While most companies take a control-based approach to block or stop threats, a different approach is to investigate how these attacks originate and unfold before they reach your infrastructure.

This means focusing on prevention by understanding and mitigating the root causes.

Another part of the issue is that many companies treat the problem as multiple isolated challenges instead of viewing it as a singular, overarching problem. The root cause, as Matt points out, is open-source intelligence about an organization's humans - the information that threat actors can gather about an organization's employees and their online behaviors. 

By addressing this root cause, organizations can significantly reduce their attack surface.

However, this doesn't mean that traditional control-based methods aren't valuable. 

Techniques like blocking suspicious emails or domains remain important elements of a holistic security strategy. 

The key is to supplement these methods with preventive measures that focus on reducing the amount of exploitable information about employees that's available to attackers.

Finally, Jeff brings up an important point that measuring and reporting the risk associated with each employee could be beneficial. 

This metric, derived from a combination of different signals, could provide a more comprehensive understanding of the organization's overall security posture and would be a valuable piece of information for board-level discussions about cybersecurity.

Expanding human attack surface protection to consumers: a reality?

Jeff asserts that a significant number of consumers are oblivious to their digital footprint and the associated risks. 

It's not surprising then that consumer education becomes paramount in this context. He's particularly focused on enlightening individuals about unintentional human risk, which he believes is an ever-present issue.

Matt mentions that one of the most frequent questions they face concerns this very issue. In a bid to tackle the challenge, they've been providing program beneficiaries with a family invite. The ultimate goal is to extend this offering to everyone someday, with a particular emphasis on those who are more vulnerable to these risks.

Of course, crafting a product tailored to a consumer audience is no mean feat. It requires time, patience, and a deep understanding of the end user's needs and behaviors. 

That being said, this understanding isn't limited to existing consumers alone. In fact, it can offer significant value in the hiring process by revealing the potential risk a new employee might bring to the table.

Interested in sponsoring an episode like this with your target buyer?

→ Reserve your sponsorship here. ($2,575)