Patrick Garrity, VP of Operations at Blumira, a cloud SIEM provider, shares the top cybersecurity threats organizations might be overlooking going into 2021
Office employees aren't the only ones who've adjusted to remote work—threat actors have too. In this episode, we discuss the rising security risks within the new world of work and what businesses can do to minimize their risks.
Meet Our Guest
Patrick Garrity is VP of Operations at Blumira. Patrick has years of experience in the security industry building and scaling usable security products. He currently leads Blumira’s product, sales and marketing teams. Prior to joining Blumira, he led sales engineering, product marketing and international expansion for Duo Security.
Follow us on Twitter: @thedwwpodcast
Email us: firstname.lastname@example.org
Visit us: www.digitalworkspace.works
Ryan Purvis 0:00
Hello, and welcome to the digital workspace works podcast. I'm Ryan Purvis, your host supported by producer Heather Bicknell. In this series, you'll hear stories and opinions from experts in the field story from the frontlines, the problems they face and how they solve them. The years they're focused on from technology, people and processes to the approaches they took that will help you to get to the scripts for the digital workspace inner workings.
Heather Bicknell 0:30
So great to have you on the podcast. Patrick, thanks for joining me today.
Patrick Garrity 0:35
Yeah, it's wonderful to join. Thanks for having me. It's really cool to be able to talk security all the time. Awesome.
Heather Bicknell 0:43
So would you mind giving just a quick intro to yourself?
Patrick Garrity 0:47
Yeah, so I've worked in security while came out of the IT industry, and spent some time last seven or eight years at Duo Security, building and scaling, usable access security with their two factor authentication product that we worked on, and, you know, helped, implemented with customers in the US moved to Europe for a stamp and help scale the business there and then move to back home in Michigan. And we got acquired by Cisco, and helped with the zero trust strategy there. And then, recently, about a year ago, next week, join blue Mira to work on a different area in security, making it easy to do security operations, and help customers get detection controls in place. So it's fun.
Heather Bicknell 1:48
That's great. So I guess you were I do Oh, through all that that growth phase, that must have been like saying, Oh,
Patrick Garrity 1:55
yeah, yeah, I mean, I do, I think I think I was like, 12 employee really early on. So glad to see a lot of the early foundation of you know, understanding customers needs adjusting, and working with the product and engineering teams on what needed to be done to help address scale and make an effective tool for organizations of any size to be able to use so is pretty exciting.
Heather Bicknell 2:22
Sounds like it so and now you're based in in Michigan. Are you in the Ann Arbor area as well?
Patrick Garrity 2:27
Yep. Yeah. So it's kind of interesting, like Ann Arbor is a pretty big hotspot for tech security. So yes, we're we're based in Ann Arbor is kind of funny when we did have an office right now we're kind of remote. But it was it was about a block from duo. And then, you know, you guys are down there. And then also, census is another one that's that's on the same block. So it's quite quite exciting to see everything develop, and I think deep filled in an arbor as well. nearby.
Heather Bicknell 3:06
Now, are you are you a coffee drinker? A tea drinker?
Patrick Garrity 3:10
Heather Bicknell 3:10
Which of which wishes? Which of the downtown spots do you prefer?
Patrick Garrity 3:14
Oh, there's one I love and then I want to talk about the other one. You gotta Guess which one I love.
Heather Bicknell 3:20
I Well, I'm a big ruse roast fan. So
Unknown Speaker 3:24
Patrick Garrity 3:26
That's my, my favorite lobster butter. Okay, great. Great. A great team there. And I have a favorite barista. I don't know if you know, okay.
Heather Bicknell 3:38
I don't I guess I'm not that deep enough of a fan, maybe by appearance, but not named.
Patrick Garrity 3:44
She's great. If you ever in Ann Arbor, go to Ruth rose and ask for K and give her a good tip.
Heather Bicknell 3:49
All right, yeah. Now you have two two endorsements there for that excellent coffee. So yeah, I guess, you know, let's get into the the topic of the day. So we had chatted a little bit about what might be interesting to speak about. And you mentioned that there's sort of these top areas of security risks that people might be overlooking going into 2021. So I thought we could, you know, go through that list and uncover what could be interesting for folks to learn about and, you know, maybe even some advice on how to avoid these risks going into the new year. So the first one was around ransomware becoming more sophisticated. And I was thinking, yeah, of course, we've seen there's a lot of news in the past few weeks about, obviously, the solar wind, solar winds breach and the ransomware. With that. Is that the kind of attack that you see becoming more prevalent, or did you have another thought there?
Patrick Garrity 4:53
Yeah, I think a few different things. And a little bit, a little bit of different solar winds is a whole nother ball of wax being on the being on the sub supply chain side of like code and what's going on there? And certainly, I think it's important to think about, hey, am I at risk? It's also took a long time and a high level of sophistication, even detect and figure out that something was going on with solar winds and solar winds is used everywhere. So certainly, certainly something that's here to look out for is how do I mitigate and a lot of people are more or less just going How do I find an alternative solution to solar winds? Right would be be one consideration patching it. But I think people are more concerned in that area of like, the software that they're using, and making sure their partners and their vendors are, are securing it properly and adequately, and it doesn't have that risk? It's something that we really we've never seen before. to this extent, I think on the on the ransomware side, right? The ransomware side we've been seeing for years now. And things like cryptocurrency and Bitcoin are really what have enabled that. And the reality is, is like they're not very sophisticated attacks, typically, they're just looking for low hanging fruit and easiest ways to get into environments and deploy. Because the reality is the goal is just to lock up whatever organizations, servers and infrastructure and trying to, you know, get money out of them to turn it into usable state. So, yeah, big, big theme that I think, you know, people overlook is it's the ransomware attacks are becoming more sophisticated. And they're not just targeting servers, they're starting to target target virtualization infrastructure, like VMware storage arrays, and really across the any environment that they can get a foothold in. And, you know, I think in the future, we'll can continue to see more and more sophistication as far as how they're going about it. But also, there's more people out there that maybe might not be working, because of COVID. And then might turn to other ways to make money, which ransomware is one way to do that. And you can do it from home with the computer. You don't need much more than that.
Heather Bicknell 7:21
Yeah, I have certainly, you know, hurt a little bit around around that just around, you know, increased phishing attempts, both because people are sort of their guard might be lowered from working at home, and, you know, not being as careful as if they were in the office, but then also people being a little bit more desperate and maybe driving them to, you know, do more malicious things.
Patrick Garrity 7:49
Yep. Yeah, no, and certainly, as you look like if economy goes down, and people aren't working, and we see unemployment rate going up right now, right, or it has gone up, and it's coming back down. Those people don't might not have anything to do so like not wanting to do let me go research how to do something else. And no, it's a it's a great way to make an income, not legally. But it can be an alternative way for someone to make money. That's a reality nowadays. So that really changes changes things. From an from an attacker perspective and a defense perspective.
Heather Bicknell 8:24
Do you have any thoughts around what organizations can do or where they should be looking out for areas they should be strengthening? Like, what would your recommendation be for a response to a rise in ransomware? threats?
Patrick Garrity 8:40
Yeah, I think the reality what we find is, most ransomware attacks could could be prevented. In there's really a few different things. Number one is having the right prevention controls in place. So something like two factor authentication, still often doesn't go deployed. And it's not just that it doesn't get deployed within a company might also not get deployed to all their applications and services. So like, it's just not effective if you don't use it to the full extent. The other the other things are made, you know, making sure you have next gen firewall, making sure you have adequate cloud security controls in place from an access perspective. And also monitoring for things like do you have RDP exposed to the internet? That's a good example where like if you have a service that's available on the internet that you could exploit easily, people are going to use that as a way into your environment. And then the last thing I would say just in general is people have a lack of any detection capabilities for things like password spraying, internal recon scanning, really early stage parts of an attack, that if if you don't have adequate Quit detection in place you can't do anything about and you don't even know. So those are the those are the types of things where it's making sure a customer gets to a baseline can really change the game, whether someone can reach a host itself even to deploy ransomware. And then, of course, on the host itself, everyone should be looking at tools like EDR, which is kind of looking for anomalies on that device of when ransomware might actually go deployed. And that's late stage in the attack.
Heather Bicknell 10:37
And now, the second risk that you had identified was endpoints going on patched and remaining vulnerable. Do you like to dig into that one? A little bit?
Patrick Garrity 10:50
Yeah. On the on the endpoint side, and I kind of segues Well, I talked about EDR, right. So EDR is designed to kind of like, look for indicators of potential compromise or things that might be going wrong on an endpoint or device, and then you can contain it so it doesn't spread across your environment. You know, very, very similarly across the company's environment, making sure that endpoints servers, anything that has software on it goes patched in is up to date is particularly important. And you know, that starts with the foundation on making sure that you have a great patch management program, you're making sure that your devices are staying up to date, you're doing vulnerability scanning, to see where there might be a real risk. And so yeah, often often, you know, an exploit might be run on a Windows hosts. That works because the patch wasn't applied. And it's that it's really that simple. And it's a way for an attacker to get into a customer's environment.
Heather Bicknell 11:59
Yeah, certainly. And I think, you know, something that can prevent organizations sometimes from applying those patches as readily as just the fear of how they're how they'll impact the rest of the environment, you know, if I, when we apply this patch, are we going to have some unexpected performance problem? How are we going to deal with the blowback from that? So I guess, in a relatedly, I think it's important to be able to, you know, have a monitoring system in place to detect those issues early. And that sort of, you know, that's more of like, how we deal with things in my world is just finding the correlations, right. So when a patch is applied, correlating that to any problems that might be cropping up, so you can go after those proactively. And, of course, you know, most organizations are rolling these things out in rings, right? So you'll have, you know, when you have that those test group of users to be able to check, you know, the results of that security patch in your environment, and fix any problems there. So you can apply those patches and stay up to date to prevent that vulnerability.
Patrick Garrity 13:11
Yeah, and I think that's, you know, key while you're talking about their ranges, you know, when you're looking at different size customers, like, some customers don't have the time or resources to make sure patching is happening, or they might have systems that can't go patch, I know, an industrial control systems, a lot of times, that might be an environment where it could be a full system that needs to be replaced, change the system. So it's not always that a customer has full of choice and control. And I think like, being able to monitor so you can update faster, right? is a huge, huge value add for for organizations so that they can stay up to date and to reduce that that type of risk. So
Heather Bicknell 13:57
um, so the third one would be collaboration suites are a key target. And, you know, I think we've seen obviously with the shift to remote work a huge rise in the use of, you know, both office 365 and G Suite, and then all the unified comms tools to keep people connected and collaborative. And of course, it has huge productivity benefits, but as you know, as with anything, the more people are on it, the more attackers are going to take notice and look for ways to exploit
Patrick Garrity 14:34
Yeah, and it's it's pretty interesting there right with with things like office 365 and G Suite, like the accessibility of it, right. So first off, making sure that people are logging in have two factor enabled. Is is critical there. But yeah, essentially, that Collaboration Suite becomes a central hub of a company. And so, you know, attackers have gotten pretty sophisticated where they're looking at things like, well, if I log into an email account, what can I actually do with it? Well, all the email, and there's one thing that's valuable access to other productivity tools. So there could be financial statements. also commonly used for resetting passwords, or getting access to other systems. And so, phishing campaigns often are trying to gain access into these different different systems as well. But people, you know, the attackers do simple things, well, I don't want to actually if I get in, I don't want to disrupt my access to all this. So what if I just forward all the email and make a copy of it to myself, and I can look at it whenever it's convenient to me. So you look at the ability to do things like data exfiltration that go undetected, because people don't realize I still see my email, but it's also getting forward and someone else? Or, you know, maybe someone shared a document externally? Should it have actually been shared externally with someone outside the company, so you can do things so easily, because that's the way these these tools were designed to do. However, there's inherent risk, and most organizations aren't looking at those things. And that's an area where we help a lot of customers with our product to to make them informed when people make changes, like email forwarding to a rule that that could result in data exfiltration, right.
Heather Bicknell 16:33
is part of that, is it? Is there like a pattern detection element to or how would you? How can you tell, you know, if someone is, you know, maybe forwarding a document or, you know, giving permissions that shouldn't be there? How do you detect that?
Patrick Garrity 16:49
Yeah, it's, it's really a good question. Because like, a lot of people think you need ml or AI to actually detect this stuff. It's actually really simple. These things happen. But like, it's not normal for someone to configure email forwarding, like, if you're forwarding your work email, like that's not a normal thing to be doing, you can have a static rule that says something like that, in most things actually can be detected. The most common pieces of attacks can be detected via static rules, is what I would say. Now, as you're getting if you're getting into like monitoring, actual email coming in and trying to look for different patterns of email, that's a little bit different case. But hey, is someone logging in from somewhere they haven't before, that might be an indicator that's pretty static and simple to look at and detect. And so it really just depends, like geo and possible logins, or to people logging in the same account from different locations near the same time, of what techniques you would use to detect those things. But the reality is, is most people aren't detecting anything, or looking at anything. And that's one of the big issues is it's, it's been traditionally really hard to get those types of controls and visibility in place. is just the time to do it. Mm hmm.
Heather Bicknell 18:14
And I think related to this topic is the next, I guess, trend security trend, which was the move to the cloud and remote work increasing external exposure. So of course, we've talked about how, you know, on the Collaboration Suite side, but of course, there's a whole broad host of cloud services that, you know, organizations use, day in and day out for productivity. So, I guess, what are your thoughts there?
Patrick Garrity 18:44
Yeah, I mean, first off, ever, yeah, everyone's like, oh, we're not gonna have an off night, everyone. But maybe we don't have an office, maybe we don't need chromis stuff anymore. We're using SAS apps, we're using cloud infrastructure. People are working from home, there's a lot of different risks, like, we accelerated a five to 10 year roadmap to migrate to the cloud and remote work down to like six to 12 months with COVID. And so inherently, that just comes with a ton of risk. And so yeah, a few things like remote work wise, I'm in an office actually, that I got myself outside the home. But yeah, how many people are have kids, right? I have kids, how many are letting them use their work laptop? Or how many are using their personal device to access work stuff? And the kids, what do they do? They go, Hey, I want to download this game. I want to install this extension. And they click everything and they get excited about it. And they should they're genuinely curious kids, but most likely, right ends up resulting in malware, or access to other things that could be malicious, that that inherently then put the business at risk. So I think that's one one angle to look at, right from a risk perspective. And another side is moving applications or servers into the cloud, like most organizations and people that are doing that have an on premise environment. And it's their first time configuring Azure or AWS or GCP. And there's, there's so much room for error with these systems, right? with how they can be configured and the wonderful things that they can do that inherently they end up exposing their their secrets, they end up exposing their servers and their infrastructure. And it just makes it really easy for for an attacker to gain access and get a foothold.
Heather Bicknell 20:38
There's this great cartoon, I don't know if you've come across it, but I think it's like enterprise legacy move to the cloud. And it has these like sysadmin. Like cloud admin wizards attacking this huge dragon, and then it has like startup move to the cloud. It's just like a little bird that just like they're like, Hi free. came to mind when you're describing some of the complexities there. And yeah, I mean, I'm sure, obviously, a lot, a lot of a lot of change that I think the industry has been, you know, predicting for a while, obviously, we're moving, we're moving in the direction of cloud, you know, all that stuff has been happening, but you're totally right, and that the timeframe got shortened so drastically, and even things like, you know, having to rely on BYOD hardware and, you know, employees using their laptops at home, because oh, no, we had them, you know, in the office on desktops or some other form of hardware that, you know, they can't take home with them. And but they still need to do work, obviously. So, and no one can buy laptops, because all the laptops have been bought out. And,
Patrick Garrity 21:45
yeah, yeah, my kids are at home. So they need to be on a device. Right. So it's just so many things that a lot of people don't have full control over. That, that just increase the risk. And then I do think like, you know, certainly people not working I mentioned earlier, you likely have more people that are kind of curious and getting into security and might use what they learned to do bad because they can't get a job. You know, just just thinking out loud of some of the different circumstances people are put in during these times. So yeah, it is it is it is really a unique time for security in general. With that.
Heather Bicknell 22:29
Yeah. I guess along along the lines of I know, I asked this earlier, but I think the remote work, obviously, you know, a lot of a lot of organizations will continue to have to, you know, be in that mode through first half 2021. I mean, who knows, a lot of, you know, people are talking about, you know, now we can downsize our real estate and never go back to the office, you know, it could be a permanent reality. For some companies or, you know, some somewhere in between some hybrid model, either, either areas where, you know, do you have recommendations on where they should be looking to improve their security posture for their remote work or cloud?
Patrick Garrity 23:09
Use? Yeah, I mean, separate devices, get a device for your kids, don't let them on your mobile devices, don't let them on your laptops, desktops for work, it's just going to result in something bad. And I can, you know, I can, I can tell you that over and over again. Used to factor on all your personal accounts, use it on your corporate accounts. You know, from work from home perspective, make sure that you have a firewall in place. Usually, your router has that built in if you're if you're using a router with your Comcast or internet connection. those are those are some of the basics, make sure you said pass, no pass codes, face ID Touch ID don't share those codes with your kids. There's just so much on devices nowadays, especially even on the mobile side. So yeah, those are those are some of the tips I would say that are like really low hanging fruit. And then keep the devices up to date, make sure you go to the software update button and make sure it's actually working from time and time from time to time, because that's really going to be a big differentiator is making sure your devices are also up to date.
Heather Bicknell 24:23
Definitely, I think, you know, there's the added benefit there too. If you lock your kids out, they're not going to you know, spend a bunch of money on some, you know, mobile mobile game with microtransactions, either, so you get multiple benefits from that. All right, and so the last one on our list was that misconfiguration continues to introduce some, some big risks. So I'll let you take that one away.
Patrick Garrity 24:53
Yeah, I talked about this a little bit earlier, but like continually we see customers and organizations that are They misconfigured a server, it's out on the internet. And it shouldn't be. It's not up to date, the protocols they're using aren't secure. They don't use two factor authentication. You know, just there's so many variables going in, in regards to misconfiguration. On the cloud side. They're not using hardened keys for their cloud infrastructure. They're not using disk encryption, you know, just best practices, common best practices. And it's hard because it's like, there are a lot of things you got to look out for and best practice perspective. But yeah, I think we will just continue to see misconfiguration being that the top thing that impacts people, and so it's, well monitor for misconfigurations, review things to make sure they're configured and, and maintained properly, revoke people's access when they leave the company. There's just a lot, a lot of things to consider there. But it will continue to happen. There's so much room for error in it. And so, you know, I think the important thing is if you can monitor for some of these things, that's a really good approach. And that's, that's one of the areas I kind of talked about with detection, but also looking for things that might be misconfigured that that ended up leading to a incident or a breach are pretty important in that regards. And it becomes even more important once you start getting into like cloud infrastructure as well. Because inherently you can you can easily miss configure those types of things.
Heather Bicknell 26:39
Yeah. And I think, you know, you're right, the ability to monitor and detect them. Because if you don't, if you don't do those things, and you don't have something that can help you percolate up those insights, a lot of these things, I think, you know, it's very challenging until until you, you know, find out the unfortunate way to know that there was something wrong there.
Patrick Garrity 27:03
Yep. And I think a lot of times, like, yeah, it's ransomware. Yeah, and far, that's the most gonna be the most common and I think people people sometimes too, one thing I talk about a lot is like, they get they get sensationalized with the news of like, an advanced persistent threat, or these crazy, one time thing solar winds is I think, another example of that. It's like, no one was gonna prevent this other than solar winds. Is there isn't this more or less the reality in these cases? And so it's like, if you optimize to try and prevent that stuff, and you're not optimizing to prevent the low hanging fruit, you're more or less doing yourself a favor. And I think that's the that's the thing. We've seen time and time again, as people Chase, the unlikely over making sure that they have the basics, right. It's my my biggest viewpoint there.
Heather Bicknell 27:58
Well, this has all been super interesting, Patrick, and thanks again for joining me for this conversation.
Patrick Garrity 28:07
Yeah, it's fun, enjoy. It's fun to talk about these these different, you know, overlooked security risks within the world today. It's a it's a real problem to be tackled.
Heather Bicknell 28:19
Yeah, absolutely. And especially, you know, as the world continues to be a little bit wonky, and unpredictable, super important to stay on top of, of these areas. So I guess, as we close out here, where there, is there anything you have coming up that you think is related to any of this, that people should be maybe looking out for? And, you know, where can people get in touch with you?
Patrick Garrity 28:48
Yeah, certainly. So I'd say, you know, one thing is a lot of people don't have the capabilities to do detection within their environment are what our product is designed is to help deploy effective threat detection and response in a matter of an hour or two without requiring someone to have a deep level of security expertise. So as far as things coming up, we've really, you know, locked down and helping customers with cloud applications and services, we do have Amazon web services that we're adding Pretty soon, which I'm excited about, in continuing to add value across the customers environment. So that's probably the biggest, you know, some of the biggest thing that I'm I'm excited about coming up and we are as far as being able to find us. You can go to blue mera kaam, b l u M. ira.com. And we do offer the capability to play a free trial of our product. And, you know, one of the biggest things in tech is, it's a product that can be deployed in a matter of hours, right? So it doesn't require a ton of time to evaluate and give it a try.
Heather Bicknell 30:00
Awesome. Well, thanks again for this conversation.
Patrick Garrity 30:04
Yeah, thank you. That was great.
Ryan Purvis 30:08
Thank you for listening to today's episode. Our producer editor. Thank you, Heather. for your hard work for this episode. Please subscribe to the series and rate us on iTunes or the Google Play Store. Follow us on Twitter at the DW w podcast. The show notes and transcripts will be available on the website WWW dot digital workspace that works. Please also visit our website www dot digital workspace that works and subscribe to our newsletter. And lastly, if you found this episode useful, please share with your friends and colleagues.
Transcribed by https://otter.ai
VP of Operations @ Blumira
Proven leader and team builder who brings an exceptional track record of achievement focused on customer experience, operational excellence, product development and a culture of success. At Blumira I launched our GTM including sales, marketing and product strategy.
Built and scaled Duo Security's global operations from Series A to a $2.3B acquisition by Cisco.
Expertise includes Operations Excellence SaaS solutions, Scaling Startups, Sales Leadership, Product Leadership, Marketing Leadership, Servant Leadership, Security, Blockchain, Talent Acquisition, International GotoMarket, and Enterprise Technology.
Leadership and Mentorship
Advising/Investing in SaaS Tech Companies/Venture Capital
Blockchain / Cryptocurrency
Fun Facts about me:
- 2019 Marketing Leader of the Year: Re:Purpose
- Sales experience on all 5 Continents and over 25+Countries
- Patent: US9979719B2
- Traveled to Mexico, Canada, France, Russia, Germany, Sweden, Netherlands, Czech Republic and Ireland
- Lived in US and England
- Ran 2 Full (26.2 miles) and 1 Half (13.1 miles)Marathon