Josh Rickard of Swimlane: 5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity
An Interview With Jason Remillard
How and who uses this data. Along with where data is you must understand who has access to what data and how users interact with it. Understanding this will help your security team implement a more thorough PolP (Principal of least privilege).
The goal of this process is to identify if a user needs access to do their job or could they retrieve the same data with less privileges than they may have. Additionally, understanding if people use this data outside of its intended use. If so, understanding where it is stored and what is used for is critical.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Josh Rickard, Security Research Engineer at Swimlane. He is focused on automating everyday processes used in business and security. He is an expert in PowerShell & Python, a GIAC Certified Windows Security Administrator (GCWN), a GIAC Certified Forensic Analyst (GCFA), and has a diverse background ranging from system administration to digital forensics, incident response and managing teams and products. Josh is passionate about security and previously served as a Board Member and President of the Central Missouri InfraGard Member Alliance which coordinates with the FBI on infrastructure defense. Josh has presented at multiple conferences including DerbyCon (2x), ShowMeCon (2x), BlackHat Arsenal, CircleCityCon, Hacker Halted, and numerous BSides. In 2019, Josh was awarded a SC Media Reboot Leadership Award in the Influencer category and is featured in the Tribe of Hackers: Blue Team book. Josh shares his experience about automation, code, and security on Swimlane’s (https://swimlane.com/blog) and his personal blog (https://letsautomate.it). You can find information about open-source projects that Joshcreates and maintains on GitHub at https://github.com/MSAdministrator.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I grew up in a middle-class household in a small town on the Mississippi river where there wasn’t much to do besides playing sports, being outdoors, and hanging out with friends. I would say I was always an outcast or different than most but not in a negative way. My parents and experiences taught me at a young age to pursue my goals and to not compete with others. It was instilled in me to compete against who I was yesterday, today, and not worry about what others were doing.
After high school I didn’t go to college and ended up working for several years while my wife pursued her Master’s degree. When she completed her degree I went to school in the evenings, while working full-time, and received my BS in Computer Information Systems.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
There is no single story that inspired me to pursue information security but more a cumulation of what I learned. Early on in my career I worked as a System Support Analyst and was thrown into a complex environment. This forced me to learn and understand how Active Directory, Group Policy, and Windows Operating Systems internals worked so that I could better troubleshoot issues and build secure systems for a hospital network. The Information Security team at the same organization I worked at eventually saw this interest and recruited me to join them as a Security Analyst. During my time there I was part of their Digital Forensics & Incident Response team and took on other initiatives like vulnerability management, endpoint security, domain security, phishing defense, and even physical security reviews.
Can you share the most interesting story that happened to you since you began this fascinating career?
In early 2015 I was part of a team of Security Analysts and I took on the responsibility of triaging and responding to phishing emails. During this time, I saw a large increase in account compromises, and I knew we were receiving a lot more phishing emails than what were being forwarded to us by our users. Over lunch with a good friend, I remember complaining and wishing there was a way for users to “report” a phishing email to us by clicking a button; at the time we would instruct people to forward the message as an attachment which was not ideal. So, after that lunch I set out to create one, and two weeks later I did.
After using this Microsoft Outlook button internally for a few months, I released it publicly. About a week after that I received a job offer to join PhishMe as a Solutions Engineer and continue working on their Reporter product(s); and I accepted. I worked at PhishMe / Cofense for three years and during that time my team grew their installation base from 1 Million to 18+ Million (and counting) global installs.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
I would have to say there are two women which have impacted my career. The first is my partner Lindsey. She has supported and encouraged my continual learning from the time I was in college to the present. The long hours of reading and coding after work (well into the AM) is the reason I am successful. Also, surrounding yourself with extremely smart people forces you to level up and is a huge motivator.
The second is my previous manager Becky. While I was a Security Analyst, Becky helped me understand the business side of technology. That understanding has helped me weigh the differences between what is feasible vs. what is practical and in the best interest of an organization.
I think many in security try to lock down systems to the point that they disrupt business operations. There is a fine balance that must be achieved, and this is all about understanding the goals of an organization so that you can make the best decisions and recommendations to protect the business without crippling it.
Are you working on any exciting new projects now? How do you think that will help people?
I am always working on some new project but the most exciting to me is a project dedicated to defining a Common Security Data Model (CSDM). CSDM is a definition of common security data entities and properties which define traits about each data type.
CSDM helps us categorize and provide context around data points that are common to information security. More specifically, having a standard defined map of common data points enables products like Swimlane to associate data to an entity. By associating these entities, we automatically inherit additional traits about a single data point.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
The thing about InfoSec and hackers is that we are curious by nature. We want to understand how things work. We are life-long learners.
To my colleagues I would say find a position that values your input, allows you to experiment, encourages continual learning, and generally makes you excited to go into work. I know this is not always practical, especially for those starting off their career, but know you are valuable, talented, and no job is worth your physical & mental health.
To ISOs, directors, managers, and senior infosec people, check-in with your team. Have discussions, ask your team(s) how they are holding up. Encourage experimentation and utilize the skills that your team members show interest in. If you do not know what your team members are interested in (e.g. encryption, automation, phishing, etc.) then ask them. Use these skills to your advantage while also helping your team level up.
Finally, automation is key. As security professionals we do so many repetitive tasks that you must automate them. If you know how to do something blindfolded, then you must automate it. This enables your team to focus on more complex tasks to improve your security posture. Utilizing SOAR like Swimlane helps you turn those simple and complex business processes into highly scalable orchestration and automation.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
The Cybersecurity industry, and IT in general, are such young fields in comparison to other industry verticals. Because of this we are continually evolving and identifying new areas of improvements. I think the most exciting areas of Cybersecurity are SOAR, open-source EDR and community-based sharing of threat intelligence & detection rules.
SOAR is still a young technology, but I believe it will be (is) a cornerstone of Cybersecurity just like logging, identity management, compliance, network, and configuration are. But SOAR is more than just automation for security, it is automation based on business processes and can be applied to any industry vertical like employee on/off boarding, compliance, DevOps, or infrastructure management. I think we will continue to see Cybersecurity and SOAR integrated into other business units, which is a great thing!
EDR (Endpoint Detection & Response) has been a central focus for many organizations. I believe this will continue to be popular but now we have companies like Elastic open sourcing their EDR agent. I believe this will be a catalyst for other companies to release similar products to the public. I’m an advocate for open-source software especially when it comes to security tooling. We should make sure our security tools are secure, right?
One of the biggest issues with current threat intelligence is that organizations do not commonly share it with others. I believe we will see an emergence of threat intel sharing to the community. Similar to what Microsoft did with their COVID-19 Threat Intelligence (https://www.microsoft.com/security/blog/2020/05/14/open-sourcing-covid-threat-intelligence/). We need more of this from these industry leaders, but more so we need to share detection capabilities (rules) back to the community.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
Our industry is continually changing so it’s hard to predict what’s right around the corner. In all honesty, organizations must have the basics down. It’s not glamourous but if organizations can update all their systems consistently, remove administrative rights on systems, and have defined processes (and practice them) for when an incident does occur, they will be in a much better place.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
I’m not sure how much I can say here from a personal perspective, but I can say that organizations must have a process and levels of review when any monetary request is made.
I’m not sure if your readers are aware but one of the biggest internet-related crimes is a form of phishing called BEC (Business Email Compromise) or CEO Fraud which resulted in $1.7 Billion in losses(https://www.fbi.gov/news/stories/2019-internet-crime-report-released-021120) according to the FBI last year. This type of phishing is targeted and often attempts to spoof or impersonate someone in an organization who has authority to transfer money from an organization. The attacker’s entire goal is to convince someone that they should transfer thousands (or millions) of dollars for some urgent reason. Organizations, government entities, and small businesses must implement a tiered approval process for these types of transfers.
These types of attacks are too common and have resulted in over $26 Billion (with a B) in losses since July of 2016 (https://www.ic3.gov/Media/Y2019/PSA190910). This is a major issue and organizations must be aware of these attacks and develop processes to prevent it.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
The tools I consistently use daily are Swimlane & Python. I use Swimlane SOAR (Security Orchestration Automation & Response) platform to automate things like scraping websites, monitoring domains, and discovery of new threats. I use Python to do the same, but Swimlane is the driver. I also write a lot of internal and external open-source security tools using Python.
Recently though I have been using Elastic’s ELK stack to help with parsing and testing detection rules. Additionally, I’ve been using Sigma (https://github.com/Neo23x0/sigma) which is an open-source standard for generating a generic signature format for SIEM systems.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter”software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
It’s hard to keep up with the latest technology. Even in Cybersecurity we are traditionally behind when it comes to comparing security to DevOps; DevOps is moving much faster than most security teams.
It’s all situational unfortunately but one indicator of hiring internally is when there are requirements as part of a contract or an RFP. My last two positions were at Cybersecurity startups which has its advantages; most employees are security focused or at least adjacent. For non-technology focused companies, I recommend hiring a security professional or an IT person and give them opportunities (e.g. send them to train) to learn about securing systems.
If you do want to use “over the counter” software, then look at managed services like MDR (Managed Detection & Response). If you are building software or services, then I strongly advise that you hire someone internally from the start. They will help your product, IT, and other teams by building secure systems from the start.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
If an organization is prepared and has practiced their Incident Response (IR) processes, then anyone external from the situation should not be aware that something is wrong. One of the core responsibilities of the IR team during an incident is succinct and controlled communications. That communication is typically a single person and is likely someone from PR, HR, Marketing, or the incident commander (leader) themselves. This ensures that the same messaging is being shared. The last thing on IR team needs is contradicting stories and/or a panic.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
The Incident Response process is made up of several phases: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. Once an organization is notified or made aware of a security breach, they must identify all impacted resources. This process can be difficult if you do not have the proper visibility. The last thing we want to do is let the attackers know we are onto them. Also do **NOT** shutdown or reboot systems unless necessary.
Once you have identified the scope of an incident, we then move into the containment phase. This must be a planned, orchestrated, and is a simultaneous response which isolates (contains) these systems to ensure that they do not move latterly or exfiltrate data.
Once you are confident that you have stopped any external access, we must gather evidence. In the Digital Forensics world, we recommend gathering the most volatile data first; memory -> logs -> disk. After evidence has been collected, we then begin the eradication phase. Based on the identified resources, we begin to wipe systems by restoring them from backups, re-imaging, or re-deploying systems.
Once we have restored our systems, we need must test and verify that everything is back to normal. This is the recovery phase. During this phase we add additional logging, monitoring, etc. of these systems for as long as needed to ensure that the threat has been removed.
The last phase is the Lessons Learned and it is the most important phase in this process. This phase is where we reflect and identify both the good and bad we experienced throughout the previous phases. There is no blaming in this phase, it is all about candid and honest feedback. All the lessons learned feeds back into the preparation phase and improves our processes so the next time a breach occurs we are even more prepared.
How have recent privacy measures like The California Consumer Privacy Act (CCPA), CPRA GDPR and other related laws affected your business? How do you think they might affect business in general?
The recent privacy measures have not directly affected Swimlane but rather we are building automation and use cases to help customers with these requirements. I think that CCPA (or similar laws) will be implemented by other states. If so, I believe this will have devastating impacts, especially if each state has their own version of this law. I believe that the United States government must get out in front of this and implement a universal compliance. If they do not, I believe that having 50+ different (but similar) data governance laws for each state will cause lots of confusion and be extremely difficult to manage for businesses.
What are the most common data security and cybersecurity mistakes you have seen companies make?
I was asked a similar question for the new Tribe of Hackers: Blue Team (https://www.wiley.com/en-us/Tribe+of+Hackers+Blue+Team%3A+Tribal+Knowledge+from+the+Best+in+Defensive+Cybersecurity-p-9781119643425) book. I think the biggest mistakes that security teams make when it comes to data security is worrying about physical assets like laptops, server, etc.
As an industry we must shift away from securing all assets and instead focus on identifying what, where, and how data is used by the business. Understanding what data an organization has, where it is located, and how that data is used enables security teams to focus on the most critical data first instead of trying to secure all assets at once.
Security teams are typically small in many organizations and trying to secure hundreds, thousands or hundreds of thousands of systems is a monolithic task. Since these teams are small, they should focus on securing the most sensitive data which in turn (typically) secures the systems in which that data resides or communicates with.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
When COVID19 forced companies to move to a remote workforce we saw an increase in assets being put on the internet. For example, there were significant increases (https://blog.shodan.io/trends-in-internet-exposure/) in Windows Remote Desktop Protocol (RDP) according to shodan.io (https://www.shodan.io/). Drawing conclusions from this data means that organizations (mostly IT) were scrambling at the last minute to support employees who were now all remote.
We also saw an increase in security issues with products like Zoom. For example, I am a member of SecKC (https://www.seckc.org/) (Kansas City’s longest-running monthly security meetup) and some members of the group released a tool called zWarDial (https://krebsonsecurity.com/2020/04/war-dialing-tool-exposes-zooms-password-problems/) earlier this year which brought to light issues with unprotected Zoom meetings. In turn many organizations begin setting passwords for all their Zoom meetings.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
1. What data is critical to my organization
Understanding what data is critical to the operations of a business is number one. Documents located on a Google Drive, OneDrive, or a file share are probably important but not nearly as important as customer information, billing, HR, and possibly even proprietary code. This data is what makes your organization work. Understanding what data is critical can be difficult so I suggest taking a tiered approach.
First you have data which may have strict requirements like HIPAA, SOX or PII. These have mandates which must be followed. Next ask business (Board of Directors, Investors, C-Level, etc.) leaders what they consider the most critical data. At the same time ask these leaders to rank the data from most to least important. Continue down the organization hierarchy. At this point you should have a list from each level within the organization as well as their priorities.
Not only does this give you a great starting base but it also gives the security team a view into what is important across the organization. It would typically take years to gain this knowledge.
2. Where is your data located
Once you have a list of priorities you now need to identify where this data is. This may be simple like a file but may be more complicated if it’s a database. Asking questions like where are the backups located, do users export data from an application using this database, does the system that uses this application log information about database transactions and if so where is that located? These types of detailed questions are important and allow you to set scope of impact and know what to secure along the way.
Where your data is not a question of where it is physically but also a question of how data moves across your network. This will probably be a tedious process but at the end you will have a clear picture of how an application is designed as well as how you can secure this data.
3. How and who uses this data
Along with where data is you must understand who has access to what data and how users interact with it. Understanding this will help your security team implement a more thorough PolP (Principal of least privilege).
The goal of this process is to identify if a user needs access to do their job or could they retrieve the same data with less privileges than they may have. Additionally, understanding if people use this data outside of its intended use. If so, understanding where it is stored and what is used for is critical.
4. Prepare for a breach
There’s an adage that states “it’s not if, but when” when it comes to data breaches so organizations must be prepared for the worst. Organizations must have an Incident Response Plan (IRP) that is continually reviewed and updated on a regular basis. An IRP outlines, at a minimum, the following details:
- Contact information for both team members and external contacts (e.g. FBI, local police, legal, etc.)
- Defines the roles and responsibilities during an incident.
- Escalation procedures that define when and who to notify during an incident
- Processes should be defined regarding handling, retention, and destruction of evidence as well as defining communications standards.
- References to additional documentation and key terms/definitions. This one seems strange but ensuring that everyone is on the same page is critical. Jargon is common in security and after you have been awake for 24 hours you will want this list.
More than likely you will have other details defined in your IRP, but this is a starting point. The critical piece of having an IRP is getting approval and sign-off from all stakeholders. This ensures that everyone involved understands the process and who is responsible for what during an incident.
Besides an IRP you will want documentation specific to handling evidence, forensics processes, checklists, and more. Luckily you do not have to create these from scratch since there are many templates available like these from Josh Moulin (https://joshmoulin.com/digital-forensics-incident-response-forms-policies-and-procedures/).
Part of your preparation is to have regular “tabletop” exercises to ensure your documented processes are defined and still accurate. These exercises are simulations that help everyone on your IR team be prepared for when an incident occurs. All team members, including senior executives, should be present and not distracted — this means no cellphones or laptops — everyone should be engaged.
All members should play their role during a mock incident that the organizer creates. It’s like Dungeons & Dragons but for security. You can make these mock incidents as easy or difficult as you want. The goals for these simulations are to identify any gaps in procedures and capabilities before a breach occurs.
5. Everyone is part of the blue team
Over two years ago I wrote a blog post titled Cattle vs. Unicorns (https://letsautomate.it/article/cattle-vs-unicorns/). The premise is that organizations should trust and empower their employees. By empowering them you create a sense of responsibility to the organization as well as to each other. Employees must know they are the front line; they are responsible for the security of their organization when it comes to their role within the greater framework of their workplace.
How you do this depends on your organization size, location and other variables but I recommend engaging departments individually to start. Your security team needs to build a trust relationship with the whole organization and putting faces to roles is a good start. Maybe you can host a town-hall where employees ask questions or just host presentations or maybe even show some cool hack.
Whatever you choose to do, make sure that it is engaging, relevant, and relatable. I know that some security (and technical) workers do not like to speak publicly but surely there is someone on your team that is eager or willing.
As I stated in the Tribe of Hackers: Blue Team book:
The individuals who define, write, review, and implement policies, procedures, compliance, and legal requirements are also part of the blue team. Examples of this can be seen at many levels: an organization’s frontline support (e.g. help desk) that scrutinizes someone during a password reset attempt; the IT analyst who adds additional security controls for their department’s assets; the DBA who is a perfectionist and wants to secure data in their systems beyond what policy states; the user who reports any suspicious email they receive. These individuals are part of the blue team. I want all of these people on my blue team-imagine if they weren’t.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-) (Think, simple, fast, effective and something everyone can do!)
If I could inspire a movement, I would want people to put down their mobile devices and engage with family and friends at least once a week (at minimum). As a society we are so consumed by social media, 24-hour news cycles, and are distracted by misinformation, that we often forget about what is important — our loved ones. If everyone would take an evening without technology and live in the moment, I believe we would all be better because of it.
As you can imagine, my household is littered with technology of all sorts and when our daughter was born, my wife and I both decided to set down “technology” while eating as a family, and Instead we listen to music like 70s rock, jazz, or classical and talk about our day. I know my daughter will be surrounded by technology for much of her life so we decided that we would limit it as much as possible, while we had the choice.
Instead of taking that picture or selfie, as a society, we should try to be present with each other instead of worrying about our social media status. We worry too much about what others think about us when we should be focusing on our loved ones, our community, and how we can leave this world a better place for those that come after us.
How can our readers further follow your work online?
Definitely checkout the Swimlane Blog (https://swimlane.com/blog) as well as my personal site https://letsautomate.it.
From a social media perspective I am mostly on Twitter at @MSAdministrator (https://twitter.com/MSAdministrator) but you can find me on LinkedIn (https://www.linkedin.com/in/josh-rickard/) as well.
I write a lot of open-source tools, presentations, etc. which are posted on my GitHub (https://github.com/MSAdministrator) or on Swimlane’s GitHub (https://github.com/swimlane).
This was very inspiring and informative. Thank you so much for the time you spent with this interview!
About the Interviewer: Jason Remillard is the CEO of Data443 Risk Mitigation, Inc. (Publicly Traded as Symbol: ATDS). Data443 is a leading Data Privacy and Security company with over 40,000 customers worldwide.
Formerly of Deutsche Bank, TD Bank, RBC Bank, IBM, Dell/Quest Software, TUCOWS and others, Jason has been in information and data security for over 30 years with customers in virtually every country in the world.
Trusted to deliver — All Things Data Security — he is leading the charge in bringing data privacy as affordable, deployable and realistic solutions that every business owner can take advantage of.
