Channeling Security: Quortum CEO on Insider Threats, Cisco Adds Ransomware Bundle

Plus, Verizon hammers home high cost of breaches, Expert Exchange opens access.

Lorna Garey

October 14, 2016

11 Min Read

Lorna GareyJoey Alonso, president and founder of startup Quortum, says that partners have what it takes to help customers address insider threats, simply by their status as independent expert advisers. IT and security pros within companies face political and other obstacles.

“One person said, ‘How are we going to go around as an impartial group, when if we see someone not doing their job, we have to report them?’” says Alonso “That’s a difficult thing for any employee to do.”

Quortum, which focuses on insider threat vulnerability assessments, works with Carnegie Mellon. It’s one of just six companies that has access to the research, case studies and comprehensive vulnerability threat impact assessments coming out of the CERT Insider Threat Center at Carnegie Mellon’s Software Engineering Institute. 

Carnegie Mellon works directly with very large enterprises and government agencies, including the Air Force and Department of Homeland Security, to mitigate insider risk, and Quortum can use those same in-depth methodologies, but tailored to the needs of small and midsize customers. Alonso’s focus is companies with 75 to 400 employees.

“We try to speak with all employee-facing departments — human resources, physical security folks, personnel security folks, legal and obviously IT,” says Alonso. “Leadership needs to realize, it’s the people who are the insider threats, who are actually committing the acts.”

Risks include intentional theft and sabotage, but also unintentional damage such as cutting corners on background checks for new employees or clicking on phishing emails.

“We’re going in as an impartial assessor of what they currently have in place,” says Alonso. “We look at procedures, policies and practices. So, you could have a policy that tells employees they are subject to monitoring. We look at, ‘What is the procedure, what do you have in place to actually do that monitoring?’ Then we look at the practice. ‘Do you actually do it?’”

He gives another example of an HR department whose policy is to go back six years in a background check. “How do you know that it’s actually being done, every time?”

Alonso stresses that his team is not there to go after HR, IT or any other group. They’re there to ensure that the proper policies, procedures and practices are in place, and then to alert leadership where there are shortfalls.

“We try to be an impartial sounding board,” he says.  

That likely sounds familiar to partners.

“We can go in and say, here’s what a company similar to yours did, not naming names, and here’s how it worked out for them,” he says; that data comes out of the Carnegie Mellon partnership. “Our goal is to give business leaders what they need to make the best decision. They own the decision.”

As to what problems are endemic in SMBs, his team blogs regularly on topics such as smartphone security and identifying intellectual property. In a larger sense, he cites four issues:

  • A head-in-the-sand mentality, where people depend too much on technology. “There are a lot of folks who say ‘I hooked this piece of gear up,” he says. But technology without the right policy, procedure and practice is incomplete and provides a false sense of security.

  • Human nature and a misunderstanding of the reason for an assessment. “In small firms especially there’s an inherent desire to trust everyone in the company,” he says. “They’re hesitant to have someone like Quortum come in. There’s the misconception for employees, ‘The company doesn’t trust me, here comes big brother.’”

  • Lack of policies that address the current threat landscape. “They have an employee manual that their HR director probably brought over from her previous company and just changed the names,” says Alonso.

  • A blind spot around business partners. This is one that Target learned the hard way. “Think about all these small companies that have a cleaning crew come in,” he says. “What’s going on with them? Your HR people may be vetting everybody, but then you team up with someone that’s not up to snuff.” Quortum provides insight on what questions to ask potential partners and red flags to watch for.

A Navy veteran, Alonso uses the term “rack and stack” in the military sense — to prioritize.

“We see companies place 50 percent of their effort into protecting one category of information,” he says. “We come in and say, well, what about this information? Isn’t this stuff over here important?”

Customers must allocate limited resources and know when to call in help. 

“What’s your IP, what’s the risk to each and is the amount of effort expended to protect in line with value?” he says. “Companies are just thinking about protecting everything. You can’t.”

Partner Op

Quortum is based in Northern Virginia but works direct with customers or in tandem with channel partners nationwide. Rates are widely variable based on a company’s size, vertical and the maturity of its policies.

Quortum’s teams minimize the burden on staffers by doing policy reviews before they come on site. After it does a site visit, the company sends completely anonymized data to Carnegie Mellon, which ranks the level of insider threat on a scale of one to four.

“For anything below a four we offer mitigation advice,” he says. It’s up to the customer how that mitigation happens — or doesn’t.

“We are a perfect company to team up with IT specialists” he says. “We’re not digging down in the weeds.” By that he means that customers have limited time, staff and budget. Often, they ask Quortum to simply do an assessment and deliver an action plan, which they intend to implement. Then reality happens.

“For companies that just get the report, less than one in 10 actually acts on the recommendations,” he says. “It’s just manpower.”

Fright Files

In honor of October being National Cybersecurity Awareness Month, let’s start out with a new malware delivery method. Trustwave researchers this week published findings on malicious files embedded in legitimate-looking .MSG file attachments; .MSG is a file format used by Microsoft Outlook and Exchange.

Analysts say the technique is an effort to get banking Trojan malware past email gateways. The files are compressed, making them difficult for antivirus products to detect, and the malicious code is obfuscated. Read about it here. Trustwave advises warning end users against opening .MSG files that are sent to them.

The company also posted some good advice on dealing with “security fatigued” end users.

Cisco Goes on Ransomware Offense

One I missed last week: Cisco’s Ransomware Defense bundle includes Cisco Umbrella, which blocks threats at the DNS layer; Advanced Malware Protection for Endpoints, which prevents ransomware files from running on endpoints; Cisco Email Security, which stops the phishing and spam messages that deliver ransomware; the AMP add-on for static and dynamic analysis (sandboxing) of unknown attachments; the Cisco Firepower next-generation firewall; and Cisco ISE for dynamic network segmentation to keep ransomware from spreading laterally. There are also Cisco security services available. Network World has a good rundown here.

Customers don’t need to purchase all the pieces, and backups are an important element of ransomware defense that’s not addressed. But a layered approach is the best way to defeat attackers, and the offering covers most bases.

Yahoo Breach Fallout Continues

Reuters reports on a statement by Verizon general counsel Craig Silliman that the company has a “reasonable basis” to believe that the Yahoo data breach, in which at least 500 million user accounts were hacked in late 2014 by what it says is a state-sponsored actor, “represents a material impact that could allow Verizon to withdraw from its $4.83 billion deal to buy Yahoo.”

Silliman told Reuters that the breach could trigger a clause that could allow Verizon to withdraw from the deal, scheduled to close early next year, and said the onus is on Yahoo to prove that the company’s value hasn’t tanked.

For Verizon, the Yahoo buy is about digital ad sales; it plans (planned?) to combine Yahoo’s digital advertising and media assets with the AOL internet business, which it bought last year for $4.4 billion.

Level 3: Ho Ho … Oh No

Even as many have yet to get sick of pumpkin spice lattes, Level 3 Communications delivers its annual guide to helping retail customers survive the shopping season.

Some top takeaways:

  • Retailers may be more vulnerable this year given the sheer number of attack points — kiosks, in-store Wi-Fi, mobile point-of-sale systems and all sorts of IoT devices.

  • The average total cost of a data breach is $4 million, according to Ponemon’s 2016 Cost of Data Breach Study, with each breach averaging $172 per record breached for retailers. That will take the jolly out of a holiday fast. Ponemon also says that it takes retailers an average of 197 days to spot malware. That’s better than Yahoo, which was breached in 2014, but it’s still problematic.

  • A recent KPMG study found consumers aren’t very forgiving when it comes to cyberattacks against retailers; more than 50 percent indicated they would forego shopping at an affected retailer for at least three months after a breach or stop shopping at a breached retailer altogether. See: Yahoo.

Qualys, NTT Security Team Up

Channel-focused security provider Qualys and NTT Security announced a deal to integrate Qualys’ cloud-based IT security and compliance services with NTT Security’s managed security services.

Last month Qualys joined Splunk’s Adaptive Response Initiative, and its Qualys Cloud Platform underpins the new EiQ SecureVue Cloud SIEM and log service.

The new agreement enables NTT Security customers to leverage the Qualys Cloud Platform, which covers mobile, cloud and on-premises assets and includes asset inventory, vulnerability management, policy compliance and web app security.

Experts Exchange Hits “Reboot”

Experts Exchange announced this week that its question-and-answer forum is now available free to users; previously it required a monthly membership fee. It is also launching a new product, Courses, to allow members to learn new skills from experts in the community as well as from select third-party providers. The company says these changes coincide with its 20th anniversary.

“The core of our business has always been helping people solve their problems and encourage learning,” said Gene Richardson, COO of Experts Exchange, in a statement. “By removing our paywall, expanding our offering and retooling our mission, we’re able to continue to build Experts Exchange into a place where people can learn and influence the future of technology. Experts Exchange has built a community of professionals interested in solving some of today’s biggest technology issues, giving people the power and knowledge to continue to advance in their respective careers.”

Research of the Week

Tripwire released this week the results of a study of over 500 IT security professionals that it conducted with Dimensional Research. The topic: Key challenges that organizations face when trying to optimize their cybersecurity and compliance programs. The results are eye opening and show a real need for partner support.

While the survey covers several areas, endpoint security stands out as a problem area. Just 33 percent of respondents even have endpoint security strategies, and 60 percent are not confident that all of the devices connected to their networks receive security updates in a timely fashion.

Spirion Hires Former Cylance, Intel Security Channel Executive

Data-centric security provider Spirion announced this week that Marc Davis will lead its global channel program. Spirion’s products are aimed at reining in sensitive data sprawl. Security experts have for years preached the benefits of data classification, usually to deaf ears. Spirion automatically discovers, classifies and protects customers’ sensitive data, no matter where it’s stored or the format. Target customers are those with HIPAA or customer credit card or SSN data run amok, or those with lots of intellectual property scattered around the network.

“Marc is a well-regarded professional in the cybersecurity industry and we’re extremely proud to have him join Spirion to lead our team’s channel sales efforts,” said Dr. Jo Webber, Spirion CEO. “He has a deep understanding of what motivates channel partners and we look forward to building a program that is beneficial, sustainable and profitable for partners.”

Red Hat Expands Mobile Vision

Red Hat announced this week the release of its Red Hat Mobile Application Platform as a fully containerized offering able to run in any public or private cloud or on-premises infrastructure that supports Red Hat Enterprise Linux.

One aim of the platform is to help customers have better control over security and policy management. By integrating with enterprise identity systems, customers can enforce user authentication, encryption and access to projects and resources.

Finally, much of next week I’ll be on-site at the IoT Security Summit in Boston. If you’re attending, drop me a line.

Follow editor-in-chief @LornaGarey on Twitter.

Read more about:


About the Author(s)

Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like