Stel Valavanis of onShore Security: 5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity

An Interview With Jason Remillard

Create a security culture. Just like being cheap will get you through times of no money better than money will get you through times of over-spending, culture can make or break you. Attitudes about security, especially at the leadership level, will save you or poison the well. It’s all too easy to loosen up or misbehave. Work with your top leadership, board, and especially your CFO to agree on the organization’s risk appetite or risk tolerance. Business leaders will also understand and accept that approach better than the technology.

As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Stel Valavanis, founder of onShore Security and investor in several early-stage companies, graduated from the University of Chicago in 1988 with a Bachelor’s degree in Physics. He is currently the CEO of onShore Security, an established cybersecurity provider of managed security serving the financial services industry and other highly regulated and information sensitive sectors including commercial construction, healthcare, and manufacturing.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

I grew up on Chicago’s North Side, first in Andersonville and then West Roger’s Park. My parents were Greek immigrants and we went to church every Sunday (with awards to prove it). I loved science and technology for some reason, getting my first soldering iron at age 9 and learning to code. In high school, I was a mathlete. My parents owned a tavern and, over time, I became interested in helping them understand the paperwork they handled, so there’s the business foundation.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

Technological empowerment was always much more interesting to me than, say, gaming and so I was coding data applications and other useful things for fun, and then for employment. As the Internet came to be and communications promised to be ubiquitous, I pivoted to networking. But with that came the threat of cybercrime, which left me with a sort of “this is why we can’t have nice things” feeling. All that enablement went out the window. Cybersecurity is my way of regaining the enablement upper-hand and seeing that it is so with our clients. This is something I talk about a lot when I discuss why we do what we do.

Can you share the most interesting story that happened to you since you began this fascinating career?

There’s a funny story of a bank client and an unknown data stream detected. We followed protocol, resulting in an approved lockdown. A regional president got pretty mad about their boat cam becoming inaccessible. It was harmless, but it was against protocol and we detected it.

None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?

When you’re a small company, it may not matter if people believe in you or not. They take a risk hiring you. There was one attorney with a large bank client that met us and brought us in at the right time and set us on a new course.

Are you working on any exciting new projects now? How do you think that will help people?

Our PD team is at the early stages of implementing our Data Scientist’s unalerted data modelling. Lots of people focus their coding on trying to save resources. We do too, but we’re far more interested in creating smarter models of the firehose of data that is ignored. It’s not just a task a machine can do better. It’s a task a human cannot do. The result will be much greater confidence for anomaly detection and zero-day threat behavior.

What advice would you give to your colleagues to help them to thrive and not “burn out”?

I’m not the best person to give that advice. I don’t relax much. I blend work and “play” in an unhealthy way. Reading and learning would be my fun or socializing and discussing serious topics. I have a whole side of my life as an artist which I’ve not been able to find time for in the past 10 years or so but even then that’s just other important work.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?

The exciting part is on the industry side where we see growth and are attracting investment. That means we can do the things we’ve been wanting to do. This is also true on the market side, with increased budgets and increased compliance requirements. Yes, those excite me both as an entrepreneur but also as a technologist. But still, it’s bittersweet. This is crime we’re talking about, that we’re trying to thwart, and we’re not winning. We’re just keeping up, at best. Yes, I’ll be excited when we go passwordless and everyone provides detection telemetry from all points for us to ingest. Then, we can do a better job. But we’re fighting an uphill battle. We need better policy and cooperation at the national and international level. I know that’s a bigger discussion.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?

So many companies have enough gaps that I have to first emphasize the basics the most. Something like the CIS20, and then, of course, detection, which overlaps a good bit. These prepare you for the known and the unknown. Part of the point I’m making is that we’re not caught up with the known threats, but how that relates to your question is that in a way that keeps the criminals from employing more sophisticated attacks we’ve only seen glimpses of. Things like route and DNS hijacking at a large scale. Those cases got in the news, but when you see a criminal enterprise willing to spend in the millions to orchestrate a large attack, you better open your eyes.

Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

As you can imagine there have been very many breach attempts over the years. I joke sometimes that we detect for penetration testers, because they’re working from the inside. There’s one funny story of a client insisting we break protocol and open up Team Viewer to a desktop for a demo on the fly. Normally there is change control for something like that. Well, it was a pen tester and they were in. As for real breaches there was a really scary incident where we found an authentication token persisting longer than it should. We took the machine offline for forensics, but nothing else was found. You can’t prove a negative and dwell time averages over 100 days so you have to take things like that seriously. Three times we’ve had to respond to ransomware with early detection and full recovery each time (note that we are a detection company, not incident response). I could talk about other scares and serious attacks but we’ve never had a breach at any of our clients save the ransomware I mentioned.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

Our detection platform is mainly composed of our own custom Panoptic Sensor and Panoptic SIEM. As with any enterprise platform, it isn’t one tool but rather an integrated set. Main components include Kibana, Elastic, Logstash, Zeek, Suricata, and many smaller searching and filtering that are integrated for threat hunters to pivot to in their work. We ingest from a long list of protocols and security solutions. The firewalls we support are Palo Alto, Fortinet, Checkpoint, and Cisco.

How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter”software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?

Sure a smaller company can’t afford as much as a large company can but that’s true whether they outsource or insource. It’s always easier and faster to buy compliance and an improved security posture than it is to build it. But it only gets cheaper to outsource if your need is great (e.g. you cannot afford to have gaps at times) because there is operationally much more to a cybersecurity team than just buying some tools. All the tools are good but security is a process not a product. So the trigger is their own demand, be it from their own sense of security needs or some external compliance requirement. I can tell you that compliance is the primary driver in the market. As for CISO, you must have one, period, and that’s the most expensive spot to fill. Outsource it if you can’t afford someone experienced. It’s not a junior position or one to learn in.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?

No, there aren’t. What a lay person will see is a drained bank account or an angry vendor that didn’t get their wire transfer, or payroll checks gone to the wrong people, or a department of locked up computers. All the early warnings of a breach or even an attack, are technical. Even phishing is just seen as a benign link until the damage is done. I wish it weren’t this way.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

All the steps should be part of their accepted response procedures. These should include specific instructions for minimizing the exposure, containing the threat, and disclosing the breach. Table-top exercises help make it go smoother.

How have recent privacy measures like The California Consumer Privacy Act (CCPA), CPRA GDPR and other related laws affected your business? How do you think they might affect business in general?

Privacy and Security aren’t the same thing, but they overlap. We’ve not had to do much to respond to GDPR and CCPA since we’re in the business of detection, primarily, and are not responsible for disclosure. Our clients have had to adjust for things like where data is stored and updating their documentation for audits. Where we’ve been involved is in updating policies and procedures, particularly for incident response. It’s a smaller part of our practice, but we do some policy work.

What are the most common data security and cybersecurity mistakes you have seen companies make?

The biggest bang for your buck that is often unaddressed is simply having security policies. Then I’d add having dedicated cybersecurity staff and accountability. Yes, security needs to be everyone’s job but someone with clear accountability will keep you moving forward. Notice that I didn’t mention products or patching.

Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?

I can’t say the errors have increased but the need for doing the things we’ve been saying all along do become much more apparent when your people and your data are no longer in your sphere of control or visibility. Now you realize that wasn’t a given if you hadn’t already.

Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)

Security is a process, not a product. Cybersecurity is more like accounting than it is like running IT infrastructure. It’s about checking things every day, adding things up, reporting, producing an audit trail, and about cycling that back into tighter rules and processes.

Compliance is not security and security is not compliance. One doesn’t make you magically satisfy the other. Both are needed. Compliance refers to any set parameters be it from government, industry, clients and vendors, or one’s own policies. But you can adhere to these and still underperform.

Don’t reinvent the wheel. It’s all out there; policy frameworks both simple and deep, industry and vendor requirements, all sorts of service providers, and products products products. Products are frustrating because they mostly fail to show where they fit in a stack so they never reveal their gaps. Expect more convergence of features and so focus more on which integrate well and don’t try to force you into their closed stack. Again the frameworks are the place to start and CIS 20 is the simplest. Simply identifying all your gaps following an existing framework will reduce your spend in products and services and make you more secure.

Create a security culture. Just like being cheap will get you through times of no money better than money will get you through times of over-spending, culture can make or break you. Attitudes about security, especially at the leadership level, will save you or poison the well. It’s all too easy to loosen up or misbehave. Work with your top leadership, board, and especially your CFO to agree on the organization’s risk appetite or risk tolerance. Business leaders will also understand and accept that approach better than the technology.

Accountability. It’s a shame to put so much on any one person and in a way when everyone needs to take responsibility. But, by law in some states, financial institutions must name a CISO who must directly attest to the company’s compliance and security posture. That clarity creates the right incentive to put security ahead of infrastructure and allow the business to make decisions based on risk rather than IT budget parameters.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-) (Think, simple, fast, effective and something everyone can do!)

We need more regulation. We are all at risk when our economic ecosystem is threatened. COVID could just as well have been a cybersecurity incident or worse, cyberwarfare.

How can our readers further follow your work online?

Please visit our web site onShore.com and sign up for our blog and announcements. Following us on LinkedIn and Twitter will get you these as well.

This was very inspiring and informative. Thank you so much for the time you spent with this interview!

About the Interviewer: Jason Remillard is the CEO of Data443 Risk Mitigation, Inc. (Publicly Traded as Symbol: ATDS). Data443 is a leading Data Privacy and Security company with over 40,000 customers worldwide.

Formerly of Deutsche Bank, TD Bank, RBC Bank, IBM, Dell/Quest Software, TUCOWS and others, Jason has been in information and data security for over 30 years with customers in virtually every country in the world.

Trusted to deliver — All Things Data Security — he is leading the charge in bringing data privacy as affordable, deployable and realistic solutions that every business owner can take advantage of.