Mastering Cybersecurity with Derek Lazzaro

Bill Bice: Hi. Derek’s great to be here with you.

 Derek Lazzaro: Hi, Bill, great to be here with you. Thank you for inviting me.

Bill Bice: Yeah, this is going to be an interesting conversation, but let’s start with a little bit of history before we, before we dive into that. So, give us some background on what you’ve done and how you’ve ended up doing what you’re doing now.

Derek Lazzaro: I have kind of a varied background in compliance and technology and cyber security. I started my career as an attorney. I worked for USC for several years. I was in-house there, and I was focused on HIPAA and gender contracting and compliance issues. That sort of surrounded technology and healthcare and other areas. And then I transitioned into the CIO’s office at USC. USC. I spent time as assistant CIO for the university, and after that, I became CIO of the university’s government-sponsored research institute called the Information Sciences Institute. And there I oversaw IT and cyber security and worked on their classified programs as well. So, I’ve had a broad range of different cybersecurity and compliance frameworks that have been responsible for and then most recently I spent six years at Lewis Brisbois. It’s a large national law firm about the 7th largest in the US, at least in terms of headcount, with 50-plus offices. And now I’m actually at an IT consulting company called Defensive Networks, and here I’m actually leading the cyber security practice for defensive networks.

Bill Bice: Yes. And so, it was. Why you were CEO at Lewis Brisbois is
when you and I met and now you kind of tying these things back together. So why the focus on cybersecurity?

Derek Lazzaro: You know, it’s a great question and there’s a few people have said, well, you know, you’ve been a CIO. Are you kind of becoming more of a CSO now?
And honestly, I think I think part of it is I, I just find it so interesting. I think that cybersecurity is such a hot topic. It’s affecting companies. It’s affecting individuals. The attacks that we’re seeing and it just seems like an opportunity to actually help people where they need help the most. And you know, I think there’s also a lot of opportunity to, I view it and cybersecurity as really two sides of the same coin, right? I mean, if you’re architecting an environment, if you’re not doing it with a cybersecurity hat on these days, I think there’s a problem. So, I see it as all part of an integrated sort of environment basically.

Bill Bice: You have always thought that your security is not this thing that you can that you can add after the fact. It’s got to be a core ingredient from the foundation up.

Derek Lazzaro: Yeah. No, absolutely.

Bill Bice: And so, I mean this, this is a particularly poignant issue in the legal industry.
I mean, I’m. I’m dealing with security issues all the time because our firms are under pressure for security. Which of course translates into the challenges that that we must take on. So what? What do you see happening in law firms that are particularly of import on the security front?

Derek Lazzaro: Yeah. Well, you know, I think that a little bit of history might be a good place to start. So, you know, in 2017 the Shadow Brokers released information about Eternal Blue, which was the. Uh, kind of backdoor that the NSA had been using for several years, and once they did that, that really kind of opened the floodgates to a lot of the ransomware attacks that we saw in the ability to literally hop from one computer to another, like back in the 80s and 90s. They called that like a worm-like behavior, right? But that capability put in the hands of cyber criminals really kind of blew the doors off the barn and then of course with the pandemic and workers, you know, no longer necessarily being inside the corporate, you know, headquarters, the branch offices, the secure local area network. Now they’re literally working from anywhere in the world. That was kind of the next blow to cyber security and really kind of a lot of companies were not prepared for the additional challenges that that, that sort of paradigm would create. And So, what we saw over the, you know roughly from 2020 to you know 2022 where were you know double-digit, almost triple-digit increases in the number of cyber-attacks targeting all businesses and law firms or certainly included in that. You know and really causing the vast problems we’ve seen in the news. I think in 2023 the statistics I’ve seen indicate that you know the increases are starting to level off, but unfortunately, it’s leveling off at a high number, right? And the other thing. That’s true. A lot of the things that we thought were going to solve a huge amount of the problems, like multifactor authentication. The attackers have found ways to even get around that, and so I think that that we’re now really in a set of circumstances where businesses are not checking, frankly, almost all the possible security boxes and control boxes. Then you know it’s just sort of a matter of time. And you know, there are no guarantees even if you check all the boxes, but at least you’re getting closer.

Bill Bice: Yeah, you’ve. Uh, you’ve got to build the baseline to be in the in the game. And so, you know, we were talking before about the uh, so several interesting stats. So first, a lot of companies are choosing to pay a ransom, and we’re seeing a lot of smaller companies that are getting targeted as part of that.

Derek Lazzaro: That’s right. Right. Yeah, so Verizon estimates in their cyber threat report that 43% of cyber-attacks hit small businesses and you know, we obviously hear about the big attacks, right? I mean, just in the last month, we had MGM Resorts get hit and their entire booking system was offline for days. Three, and me, the genomics company was hit in the last several days. That was a little scary for quite a few people. You know the District of Columbia Elections Board just announced that they had a cyber-attack a couple of days ago and then going back a few weeks before that, the real estate MLS system was hit and was offline also.
So we’ve had these high-profile attacks, but again 43% of attacks hit much smaller businesses. Another statistic that I’ve seen that I think is interesting is that as many as 83% of companies pay the ransom in ransomware attacks. And I think that I think that there are a couple of reasons for that. And there are scary reasons one reason to pay the ransom is your systems have been encrypted and you don’t have backups and you must pay the ransom to get back online and save the company. I think that more and more businesses, thankfully, are paying attention to their backup systems and therefore, you know, maybe that’s starting to become a slightly less common scenario. But the attackers have evolved. And what they are now doing is they’re saying, OK, even if you’re telling us, you don’t need the data unencrypted to resume your business operations, what we’re going to do is unless you pay us the ransom, we’re going to release all of your sensitive information onto the dark web. Oh, they’re calling that a double extortion scenario where they’re essentially coming out from 2 angles, and I think especially in the case of law firms, that’s a scary scenario, right? You’ve got all sorts of ethical and legal obligations to your clients, and you know, really kind of puts you in a difficult situation where if you don’t pay the ransom then a lot of that information will potentially find its way onto the dark web.

Bill Bice: Yeah, that, that, that is scary. What’s your view of Prem versus cloud in this context of security?

Derek Lazzaro: Yeah. So, you know, my views have evolved, and I’ll say, you know, personally I was, you know, initially resistant when Gmail first came out when you know Cloud first came out. I didn’t want to put my own personal data in those cloud systems. Right. And there was some high profile, right? There were celebrities and people who had their cloud accounts hacked, and there were some reasons to initially be reluctant to embrace the cloud. I have come full circle on that, and I think that you know, especially for businesses, umm, you know that are not massive global organizations themselves, right? Like an ALE or Microsoft or company. Along those lines, the cloud is much more secure and the reason for that is you have. A lot of the benefits when you move your workloads into the cloud, you know at least part of the security is being taken care of by the cloud hyper scale host, right, whether that’s Microsoft Azure or AWS, you know that whole infrastructure layer is being secured by some of the smartest, most vigilant people on the planet.

Moving a workload into the cloud, you know, does not mean that you don’t have to think about it, right? I mean, if you’re moving an infrastructure workload into like a compute cloud like AWS, you obviously are still responsible for securing the operating system. In a lot of the networking, there are absolutely pieces that your IT staff and your cyber security staff still must be on top of and still must check all the controls and the best practices. I think where it gets a little bit murkier is sass applications, right? Software as a service, and one of the things that struck me when I became a law firm CIO is that, frankly, a lot of the vendors that supply software and supply SAS applications to law firms are small themselves, right? They’re fifty-person companies, hundred-person companies, et cetera. They don’t necessarily have 24/7 cybersecurity staff and monitoring and all the tools you know you get when you put your email with Microsoft, right? And so, I think that one of the things that I’ve encouraged, you know, other law firm CIOs to do is really take a deep dive when they’re considering it.
A SAS application provided by one of the legal vertical vendors is to interview them.
Send them a questionnaire you know, put them through the paces and really understand. Do you know what that company is doing to secure the application? Uh, you know, what does their infrastructure look like? Whether it is cloud-based or not.
So I think I think those are important and I think that one of the most important things that I hope that almost all the South vendors have is a top tier, you know, runtime protection program on their servers, right? So, whether that’s CrowdStrike Falcon complete, whether that’s Sentinel, Microsoft makes a good one. But if you don’t have something like that, monitoring the runtime of the server environments 24/7 and then you know sending that data to a monitored sock operation, then then there’s risk there.

Bill Bice: You have. I’ve always felt that building Sass applications is just like your comment about the IT architecture, which is that security has to be baked in from moment one and the first line of code you write, and the SAS application has to be taken security into account, and that is the danger particularly when you talk about transitioning a traditional on Prem product and just you know hosting it in the cloud, moving it to the cloud.

Bill Bice: It was never designed to run there. That has a lot of security challenges, which can be dealt with. It’s just, it’s just more difficult.

Derek Lazzaro: Right. One of the things I’ve recently seen is some good.
You know, I’ll call it AI-based. I don’t. I don’t know if it’s using a lot of true machine learning, but it’s sort of automated web application testing tools, and I think those have come a long way in the past couple of years where it used to be. You hired a company, and they, you know, put two or three people on it. And they tried to break into your web application, and you know, maybe they were successful or not. You were sort of basing it on, you know, how smart those people were. Uh, you know now the with the more automated tools, you can run through thousands of attack scenarios in a day or two. And I think that that is another I mentioned sort of the runtime protection, but I think that having that sort of vulnerability scan UM run against the external facing application that’s touching the web is also important.

Bill Bice: Yeah, the tools have gotten much better. You know, there are core architectural decisions that make a huge difference. As you know, specifically for us, we have a multi-tenant architecture for our SAS products, but single-tenant databases, and that eliminates a portion of the attack vectors. When, uh, when you separate out the data that way, but you must, you must be thinking about that from day one.

Derek Lazzaro: Right, right. And to your point, you know, once you if the strategy is sort of just lifting an existing application into, say, like an AWS infrastructure, you know, you do have to think about, you know, have we accounted for the fact that this is not sitting in a secure data center anymore, right. And you know, I think I think some companies have done that very successfully in others, it’s still a work in progress.

Bill Bice: Is there an advantage to it? I mean, if you are a law firm and have everything on Prem, you essentially have an X marked as to where everything is at, versus if you are in the cloud, your data is spread across multiple providers multiple applications. It’s buried in each one of those. It’s more of a needle in a haystack.

Derek Lazzaro: Yeah, that’s an interesting concept. I will say this: I think it’s very difficult for a law firm to secure their network truly and I think that you know, especially with BYOD being as prevalent as it is, you know, especially with the fact that we’re seeing, I mean I’ll, I’ll give one example. And in the last year, we’ve seen at least two Citrix NetScaler vulnerabilities. You know, Citrix is obviously the remote access remote desktop capability that a lot of law firms use. Almost everyone who uses Citrix puts a physical gateway device on the edge of their network, which is what connects the Citrix cloud to the rest of the world. Those gateway devices have had critical remote executable vulnerabilities twice in just the last year, and I know of scenarios where they have been attacked, and they potentially create a doorway into the rest of your network and potentially write into your data center network. And so you know, again if, you’re running that in a data center, your defenses are only as good as the defenses that you have paid for. And the people that you have and the, you know, kind of 24/7 coverage that you think you might have, right, if you have your applications and your data hosted in the cloud and if you have, you know, hopefully the vendors and everyone else again has that 24/7 monitoring and they have all of that stuff set up, then it’s not to say that you can’t have some of the same vulnerabilities in the cloud. But I think that there is more likelihood that you’re going to end up being patched. You’re going to have, you know, all other kinds of alerts letting you know that you’ve got a problem before it develops. You know, the LAN is kind of famous for having the local area network is kind of famous for just having old devices, sometimes literally tucked under somebody’s desk that just sit there.
They get old, they have vulnerabilities, and then they become pivot points for attacks.
Bill Bice: You brought up a bring your own devices, which seems like we’d have a unique set of challenges. Do you want to talk a little bit more about those issues?

Derek Lazzaro: Yeah. So, with BYOD on I will just say I am not a fan of BYOD and one of the reasons why I don’t like BYOD is the way that most companies implement it and so a lot of companies have understood we need multi-factor authentication on all our applications. But what they don’t necessarily do is also have identification of the devices that are connecting to those applications. I’m or a health check or security posture check of those devices, and so a scenario that I have witnessed is you have, let’s say web mail, right and you can access your company’s mail through a web browser. If you have multi-factor on there, it’s a good start. It prevents just username and password from being the vector to get in and access that email, but what we’re seeing is that the bad guys have figured out how to either trick people into giving them the multifactor code if a code one-time use code or rotating code is available, or if it’s a push that pops up on your phone. They figured out how to occasionally send. Sort of phantom pushes to people and basically, creates a sort of alert fatigue, and somebody just clicks it. You know they’re on the beach with their family. They get a push, they say. I don’t know. Sure. And they click it, and then the bad guy gets in. So multi-factor is no longer bulletproof and so what you really need to secure your web applications is some sort of conditional access, right? And Microsoft offers it to offer it. Duo offers it almost all the multi-factor platforms have some version of it now, but it basically says, you know, have I seen this device before, right? And in some cases, you can even put a certificate on the device. You can in some way kind of identify that this is a device that we trust. So, have I seen this device before? It can also look for things like impossible travel. So, if a person, you know, logs in from Los Angeles and then three hours later they log in from, say, South Korea, kind of not possible. And so that’s going to trigger an alert.
And so you combine a couple of those categories together. And then if you’re also doing posture checking on the device, you know, double checking that it has encryption, that it has your runtime protection installed. If you’re doing all those things, then a personal device can be as secure as a corporate device, but if you’re not doing those things, then essentially, what you have is your security is as good as the end user, right? I mean, if they don’t have a robust antivirus installed if they don’t have their device encrypted, if they have visited websites that have loaded viruses on their computer, you know, now that’s essentially touching your network or at least touching your web application. Hence, you know it’s possible to make BYOD secure, but only if you’re checking essentially all those boxes.

Bill Bice: You bet you essentially pulling in the BYOD devices and making them the same as if it were company-issued.

Derek Lazzaro: Right. And obviously, that creates, you know, privacy and hour questions where you need to be prepared to answer those, but yeah.

Bill Bice: Umm, so you think it’s worth the expense just to get your own devices and have complete control of the process?

Derek Lazzaro: I think so. I think that by the time you work through the privacy and HR shoes, and by the time you add in all the software and security that you’re going to need anyway. You just may as well hand somebody a device that you know exactly the configuration and security status. IBM did a white paper on this.
Quite a few years ago now, it was probably at least six years ago, and they found that their IT costs dropped by something like 50 or 60% when they just started issuing devices to everyone. And, a lot of the major consulting and audit firms, you know Deloitte and EWIS, essentially have taken the same approach, right?
Like everyone gets the same laptop, they have a stack of them by the reception desk at every office. If it breaks, you know they hand you a new one basically, and you know, just it keeps it simple.

Bill Bice: Right.

Derek Lazzaro: Umm, you know, easy, repeatable, and they always know the status of the device, and you know it. Not only can it reduce its cost, but it also improves security. It’s really a win-win if you’re a CIO or CSO or, for that matter, you know, CEO.

Bill Bice: Yeah, there’s a vast, huge damages any anything reproducible.

Derek Lazzaro: Yeah.

Bill Bice: The fishy the, the fish fishing, testing. Uh, software that you know, we’re all running these days to do that stuff work. Does it train people not to fall for these things?

Derek Lazzaro: You know, I think it does. I think it helps, you know, I’ve witnessed, you know, improving numbers as that type of software has been rolled out.
So I do think it helps. I think that one of the problems, though, is a lot of people still don’t understand what a domain name is. Right. And you know, I’ve seen people where you tell them if the email comes from, you know, be of a com, it’s coming from Bank of America, you know, outside of some exotic situations. But one of the things that modern mail clients do is obscure that, which is sort of remarkable if you think about it. But they say, you know, you just got an email from Derek Lazzaro, and it displays Derek Lazzaro. That can be forged by anyone in about 4 seconds, right? And so. I wish that Apple, Microsoft, and some of the companies that make our mail clients, whether it’s on an iPhone or computer, would stick with the traditional, you know, there’s a user at domain.com. Right. And then I think that would be something we could train users on. Of course, you can click on it, right? But it’s one more step, and many people don’t do that. So I think awareness programs help, but I also think that you know, every time we take a step forward, we seem to take a step backward. As you know, software changes and users are, you know, we’re trying to make it simpler and easier, less technical. And then we’re obscuring facts that can help users detect problems.

Bill Bice: Yeah, that’s tough to navigate. So, the compliance or security frameworks, you know, like SoC two, So what com comment on the value or challenges with those?

Derek Lazzaro: Yeah, you know, so I think security frameworks are necessary but insufficient. And that’s sort of a view that I’ve evolved into and recently really kind of come around to that opinion. And I think that they are helpful, and I’ve personally been involved in, you know, huge compliance programs. I’ve implemented NIST 800 one 71, which has 110 technical controls, and then we had auditors come in and check it. So, I’ve sort of been through that, that rodeo, and again there is some value there, right? they do force you to achieve some of what I’ll call baseline minimums in terms of cyber security. But I think that the challenge is that you can check those boxes with the budget version of the control, right? And you know, there’s a box for having antivirus. OK, check right, but it doesn’t tell you whether you’ve gone with the worst possible scanning engine or the modern runtime 24/7. You know, monitored solution and so. I think that’s one of the challenges I, you know, going back to sort of multi-factor and BYOD similarly, you can check the multifactor box. Still, unless you have conditional access and the sort of additional checks there, it’s only buying you so much. And so, I think the compliance frameworks are the starting point. But I think that if you want your business to be secure in 2023, you must go above and beyond.

Bill Bice: Yeah, I agree. Completely have recently tackled Sock 2. Uh, and you can hire your way into, you know, into compliance and get through an audit. But there’s a big difference between doing that and doing the work. And you must do the work.

Derek Lazzaro: Yeah.

Bill Bice: It’s not. It’s not fun. It’s not easy. It’s annoying.
Uh, but there’s a big gap between what it takes to get through the audit versus what it takes to implement the real processing tools.

Derek Lazzaro: Yeah. Yep. Yeah, yeah, absolutely, yeah.

Bill Bice: Is there anything that’s particularly top of mind in terms of the challenges that you’re seeing in the market right now? I mean, I think the double extortion one was an interesting one. That’s, uh, that’s a double whammy.

Derek Lazzaro: You know, I think using valid credentials is the scary trend that continues to be successful, right? A lot of these attacks, it’s not that the entire attack revolves just around, OK, the bad guy has gone on the dark web and has some credentials, but oftentimes they do start that way. Right. And then again, they bypass multifactor. Authentication, either through fatigue techniques or other techniques, and then they get into your system, and then they pivot from there. And then oftentimes, there’s sort of an additional layer where they use some level of technical vulnerability or exploit at that point to compromise one of the machine’s escalate privileges. You know that sort of kind of attack chain. I think that the biggest thing, one of the main things I’m recommending to companies right now, is that if they have regular multifactor, they add conditional access or some additional layers of security onto that. As I mentioned also, you know, looking at your BYOD policy and making sure that it’s, you know, robust and that all those boxes are being checked as well. I think that those are critical. I also think that companies need to have a robust program around third-party risk and around vulnerability, and technical vulnerability management. So, you know, going back to the net scalers and Citrix, if you are just sort of waiting for the announcement, there’s a good chance you’ll miss it, right? Or that you know, you’ll patch your machine, but you’ll catch it a week after the bad guys have exploited it. So you need a program where you’ve got staff thinking about this essentially on a cadence, a daily, weekly, monthly cadence, and staying on top of that when it comes to the third party and vendor risk.
Again, I think the cloud absolutely can be more secure than most on-prem environments, but you have to have the ability to ask the right questions. You need a questionnaire. You need to really have, you know, the ability to dig in on a technical level and say all right, are my vendors doing all the things that I’m doing and hopefully more right to protect my data?

Bill Bice: Yeah, really getting the feeling from answering many of those questionnaires, I mean it, it becomes like the security feature checklist process, right?

Derek Lazzaro: Mm-hmm.

Bill Bice: It’s just, uh, it’s checking the box thing, and you got to go a level deeper than that.

Derek Lazzaro: Yeah. No, I agree. I mean, I think again, the questionnaires are a good starting point, and I’ve seen some really good ones that you know almost get you there, right in terms of answering all the questions you need.
But I think it’s worth it, especially in the world of law firms and the kind of data that a lot of law firms deal with, you know, go a step further, actually interviews some of the key people, whether it’s a security office or one of the security engineers, and make sure that that the checkbox means what you think it means. Yeah.

Bill Bice: Right. Yeah, I think that’s excellent advice. Derek’s great to catch up with you. Thanks for coming on.

Derek Lazzaro: Yeah, absolutely. Thank you for having me. And it’s been a great conversation.