Mark Anderson [00:00:00]:
Something these days that doesn’t have a computer involved in it in some way, shape, or form. That doesn’t mean that everything is a cyber problem. And, you know, you look on the other side of it, look at things like influence operations and so forth, where they’re targeting social media and trying to manipulate elections and so forth. He goes, is that a cyber problem? Well, it’s cyber enabled, but it’s a human and societal problem at the same time. You know, you’re not gonna solve that necessarily through just clamping down all social media platforms. Forms. You’ve got to educate people to understand or check where they’re getting their information from. So it is that bleed, I would say, between, yes, it’s this technology that enables it, but it is, in many cases, a business problem, or in the influence operations world, it’s a societal and understanding problem.
Karissa Breen [00:00:54]:
With me today is Mark Anderson, national security officer from Microsoft Australia and New Zealand. And today, we’re discussing to ensure the resilience in a challenging cybersecurity landscape. So, Mark, thanks for joining, and welcome back on the show.
Mark Anderson [00:01:10]:
Thank you. Thanks for inviting me back.
Karissa Breen [00:01:12]:
So it is a challenging industry. The cyberspace landscape is changing a lot. So maybe that sort of start there with getting your view on the state of, you know, cybercrime as we’re speaking today.
Mark Anderson [00:01:24]:
Yeah. Sure. So I guess I should probably start by telling you where our state of the world or state of view of cybercrime actually comes from, and that comes from, the Digital Defense Report that we publish, on a yearly or an annual basis. And the Microsoft Digital Defense Report is an evolution of what we used to call the Security Intelligence Report, which has been published by us since about 2,005. The Microsoft Digital Defense Report actually appeared first in 2020 and was really a reimagining of that Security Intelligence Report. And we just recognized, really, that the landscape of cyber was changing. You know, all of a sudden, people were talking about remote workforces and supply chain and increases in criminal activity. So we created a new format where, we brought more data from more teams across Microsoft than we’d ever done before, we also wanted to target a broader audience in terms of consumption.
Mark Anderson [00:02:13]:
And on that point, actually, this year, we released whilst the big reports, 130 pages, we actually put exec summaries out. So, when I talk about a lot of the statistics that’s happening in the world of cybercrime, this is absolutely where it comes from. In that report, it really talks about cybercrime, nation state threats, critical cyber challenges, but all of it’s not doom and gloom, which is good. Sometimes it also addresses what we’ve learned and what we’ve observed. So, really, you can get into how you address those those issues. With that context, I guess, with that little bit of history of where the information comes from, focusing on the question around, well, what is changing in the world of cybercrime, I think it’s fair to say that we, and by we I mean governments, businesses, individuals, have been on the receiving end of a really unprecedented, relentless assault. You know, we live in a time where never before have nation states and criminals been able to operate without restriction in the targeting of technologies and systems, and in the vast majority of cases, have been able to do so with little fear of reprisal, and I would suggest that that’s reflected in the stats that we see in this place. However, one slight segue on that point.
Mark Anderson [00:03:22]:
Hopefully, you, recently saw the announcement regarding the identification of the Medibank perpetrator, Alexander Romikov, and how the Australian government and ourselves at Microsoft were to provide key evidence in his identification. So I think that shows that we can fight back. You know, it’s not it is resource intensive and, but for me, it was a great announcement because it’s an amazing warning shot, I guess, across the bows and shows that, you know, you might think you can hide, but it doesn’t necessarily mean you can. So that’s probably, you know, the good news story, I’d say. There’s also a recent one. But giving you idea of some of the statistics, at Microsoft alone, we have a capability called the MSRC, which is the Microsoft Security Response Center. And this is our group that deals with all of our cloud and on premises security cases through to getting things like patches out the door. And this team is supported by multiple other security operation teams, and we’ve internally seen an annual increase of 23% in the number of cases that we process.
Mark Anderson [00:04:17]:
Now that is huge, and I’m sure that those that are listening to this podcast, I would be very surprised if anyone said their cases have gone down. In my conversations with customers, I get the sense that we’ve all seen that similar rise. So, that’s pretty much our world, but in terms of the tactics, identity based attacks are where identity tax are compromising accounts and that’s the entry point. And on our platforms, we’re blocking around 4,000 password attacks every single second, And throughout the report that we published in the period of July 2022 to ‘twenty 3, the average password attacks per month sat at about 4,000,000,000 So 4,000,000,000 password attacks every single month. However, in that report period, when you fast forward to January 2023 through to June 20 3, which is where the report ends, we saw that actually increase by tenfold. So we were seeing 40,000,000,000 password attacks every single month. And you go, well, why that increase? Well, unfortunately, you know, these types of attacks are both inexpensive to run and execute, but they’re also surprisingly still effective as well. And, interestingly, the target sector that bore the brunt of most of that was the education sector.
Mark Anderson [00:05:38]:
And I think it’s important to remember that these stats are global, by the way, so I’m not saying that, you know, Australian unis were the ones feeling all of this pressure, but but why unis, I guess? And, you know, in general, and I am absolutely generalizing here and remembering it’s a global report, you know, the education sector tends to have a lower security posture with things like lower adoption of technologies like multi factor authentication, all of which makes them vulnerable to phishing and credential stuffing and brute force attacks. On that point, actually, of MFA, we all know that MFA stops these types of attacks dead in their tracks. However, a real point of caution that we’ve started to talk about recently is the issue around MFA fatigue, and we did see a high profile example of this with Uber where the attacker knew that username password combination, and even though the account was protected with MFA, all the attacker kept doing was just dinging the account. And, eventually, the user their phone’s going ding ding ding, and eventually, they just they just got fed up and went, and clicked okay just to make the thing stop. And strangely, when you click it, it does stop. But at that point, you’ve you’ve sort of let the attacker in. So, I think it’s important when we think about things like MFA fatigue, you know, it’s important to think about what drives that. Well, number 1, incorrectly implemented MFA can be just as bad because if you’re constantly pinging your users with MFA prompts, then they move from it being an event or action that they need to scrutinize or pay close attention to, to one where they just click Accept.
Mark Anderson [00:07:10]:
One day they will do that, and it will be an adversary behind the scenes. So, you know, MFA fatigue is absolutely something that we need to be watching out for. A couple of other areas that we’ve been really focused on in the report as well from a cybercrime perspective, human operated ransomware. So this is where instead of what I’ll call V1 ransomware, where floods of emails go out and whichever unfortunate person clicks the next link becomes the victim. In the world of human operated ransomware, this is where gangs are explicitly targeting organizations. They do their research. They understand what’s valuable. They know what they should be paying in terms of market rate.
Mark Anderson [00:07:45]:
And we’ve seen that go up by more than 200%. And increasingly, 70% of organizations encountering this new human operated ransomware are now smaller organizations. So by that, we mean those with 500 and fewer employees. So human operated ransomware used to be the exclusive targeting of the FSI, the financial services industry, right, and all the big players, but now criminals are going after the smaller ones. So, the whole idea that, you know, I’m too small to be of interest to cyber criminals is absolutely not true anymore. And interestingly, it’s on that from a forensics perspective. Our investigation teams found that 80% to 90% of all successful ransomware compromises actually originated through unmanaged devices, so BYOD laptops, phones, tablets, things like that. And then I think the last step in this area that I’ll probably give you is an increase in business email compromise.
Mark Anderson [00:08:36]:
So, you know, a moment ago, we talked about the compromise through password attacks. Well, not all attackers are gung ho and run-in and start pulling out data or initiating ransomware attacks and destroying computers. Some are in it for that stealthier game of email business email compromise, which, to be quite frank, is just a fancy name for essentially financial fraud. And this is where attackers are inserting themselves into legitimate business processes through these legitimate accounts that they’ve compromised. So a simple example being like faking an invoice or changing the details on an invoice and having the funds routed to them. And this type of attack, we observed around 156,000 daily attempts between April 2022 and 2023. So, from a purely financial standpoint, it’s actually as significant as ransomware. So, the question then becomes, well, why is this increasing? Well, we know that the ecosystem in terms of access to capability is changing.
Mark Anderson [00:09:29]:
Criminals now have access to on demand services to aid them in their deeds, but also new technologies, like AI and voice generated AI. Imagine the world where it’s no longer just an email you’re getting to tell you pay the invoice, but a voicemail from your boss. Your chances of success are increasing. And it was just the other day, actually, there was a report out where I think it was a bank in Hong Kong, where one of the financial controllers within the bank paid out 25,000,000 USD after a call with what they thought was the CFO of their company, but it was actually a deep fake video. So, you know, they’re really taking it up a level in the space, so it’s really one to watch.
Karissa Breen [00:10:05]:
Yes. I did hear about that. That was that was wild. And, unfortunately, that’s not gonna be the last of it. I wanna go back a step. I mean, there’s lots of great things you said there. One of which was the small businesses. So you are right.
Karissa Breen [00:10:15]:
You know, what never gonna happen to me. I’m too small. The other side that that I look at is hearing from small to medium sized businesses that I know I’m in conversations with or people just I meet randomly and they start talking to me because I know I’m some cyber person is they’re like, well, if I go to these big vendors or these big service providers, they just say I’m too small. So do you think that there is that market for smaller businesses? I don’t know. Perhaps it gets wrapped up as a managed service for, like, a small to medium sized business that they completely outsource it. I’m just hearing that a lot that vendors are either servicing the enterprise market or, you know, multinationals or big, you know, service providers are just saying, no. You’re too small. We only sort of work on deals at x amount.
Karissa Breen [00:10:57]:
So do you think that perhaps there isn’t enough capability servicing that sort of small to medium sized market and majority of businesses in Australia are at that size?
Mark Anderson [00:11:06]:
You’re absolutely right, and and it’s an area that that we need to address. And it’s actually, you know, one of the focus areas of the new executive team that was created by the government surrounding the new cyber report. One of the working groups is actually a working group that’s concentrating on how do we address helping small businesses. I think there’s probably a couple of ways to look at that right. I think, you know, traditionally, maybe smaller businesses had to build their own IT capability on premises. And, you know, in the advent of cloud, whether it’s us or other cloud providers, removing the ability to have to have a server running in the back room, I think, nobody should be running their own email server on premises now if you’re a small business. There are so many options out there to enable you to do that. So the more of that that you can offset to, you know, cloud providers or somebody that does it as a smaller, you know, managed service provider, they’re absolutely better.
Mark Anderson [00:11:58]:
But I agree that we do also need probably more capability from small businesses providing small business IT services. And it’s absolutely a gap, and it’s one that we do need to address as a country for sure.
Karissa Breen [00:12:09]:
Okay. So going back on one of the stats, you said the identity based attacks, from my understanding, you said 4,000,000,000 every single month, but then that increased in the previous year to 40,000,000,000. So do you think this next year, when you come back on the show this time in a year, that’ll be up to, what, 80,000,000,000? Or
Mark Anderson [00:12:27]:
Yeah. Potentially. And and, yeah, when you think about the stats in general, I like again, I’ll go back to that report that we released last year. And in that report, you know, we we we talked about, like, those, you know, the 4,000, password attacks per second, and then that’s like 4,000,000,000, you know, 4,000,000,000 to 40,000,000,000 a month. But then, you know, if you’ve seen in the report, we also talk about the fact that, globally, we synthesize around 65,000,000,000 signals, you know, every single day. And that that is huge. That was up. From 3 or 4 years ago, that was around 8,000,000,000,000.
Mark Anderson [00:12:57]:
And just by the way, I know we keep throwing these trillion words around, and I find sometimes that they’re really hard to get your head around, so I like to put them in per second. So 65 trillion is around 752,000,000 pieces of information every single second that that comes in our platform. So I know I know you’ve got a strong cyber background. Can you imagine building yourself a SIEM solution that’s pulling in that amount data? It’s not just an engineering challenge to pull it in, but then doing something sensible with it, and that’s what we’ve been having to do over the past few years. Like I say, 3 or 4 years ago, it was 8,000,000,000,000. It’s it’s now at 65. And then I think about other things, like we’ve got a malware sample zoo that’s got about 4 and a half trillion pieces of malware in, again, up, you know, 3 or 4 fold from a few years prior to that. So, yeah, it’s just it I don’t think any of these numbers have ever gone backwards in any of the reports that we’ve ever put out.
Karissa Breen [00:13:44]:
So how do you synthesize that level of information? Like 7,000,000 or something you said a second. So by 2 seconds in, you’re already up
Mark Anderson [00:13:50]:
750,000,000 a second. So, I mean, I mean, when you think about, well, where does it come from, right? Because, again, you know, it’s not all just running 1 massive data lake. It’s a, you know, it’s a it’s a series of pieces. Because if you think about the organizations that we service, right, it’s everything from the largest government and enterprise customers in the world through to the small and medium consumers, and you’ve got corporate assets or enterprise assets like Azure and Office 365, but then on the consumer side, you’ve got things like Xbox Live and Outlook dot com and Skype and Windows, and that’s what really accumulates that 65,000,000,000,000 a day. So they’re all in sort of different pockets, and you you know, they all come in, but you’re not necessarily throwing them in one lake and looking at all in one go. You know, you have different types of queries running over them. So it is an engineering, you know, a challenge for sure. But even though we have those awesome data sets, it’s also about having people that are able to reason over that data as well and know what to look for.
Mark Anderson [00:14:42]:
So, we’ve got a really strong set of security teams within Microsoft, whether that’s the Mystic team, which is the Microsoft Threat Intelligence Center, which is like a team of dedicated nation state hunters. They’re looking for particular pieces of information within that dataset, mainly related to things like Russia, China, around North Korea, and a whole bunch of others. Then we’ve got different teams that are looking for different types of information, like the Digital Crimes Unit might be looking for things that are looking like fraud or looking like scams, etcetera. So it’s a it’s a real mixture of who uses that dataset from all of the different types of teams that you have in the business.
Karissa Breen [00:15:16]:
Now I just wanna focus on the business email compromise, and I was speaking to someone the other day. They are servicing a council, and they exactly had this problem. But then when we sort of talked it through, it was like, well, actually, it’s a business problem that led to this issue as well. So for example, I don’t have all the details, so I’m paraphrasing, but, basically, there’s large amount of money. There were several instances that gave, like, red flags, like, no. We haven’t paid the supplier before, like, x y zed. But, also, by the time that they were at the, you know, 11th hour about to transfer the money over, something had intercepted it. There was, you know, there was a reason for that.
Karissa Breen [00:15:53]:
When I was talking to the guy, I was just saying he was saying, like, well, there were so many instances in terms of business processes that actually haven’t been, you know, instituted, haven’t been followed, haven’t been adhered to, which then creates more of a cyber problem. And then I think maybe it’s a it’s a skewed view of saying, well, yes, cyber, of course, is on the rise. But, actually, if you were to peel back the layers, that business email compromise situation was actually stemmed from a business problem. I never really looked at it like that before, and I felt somewhat silly because I’m thinking, oh, you’re actually you’re actually right. So do you think that perhaps, like, people don’t understand that they have to follow a certain process? So, for example, if it’s like, okay. If I’m gonna transfer Mark Anderson $250, like, maybe I should call the company first as the last sort of point of defense before I transfer the money to sort of intercept some of those attacks as well as doing the other checks and balances then along the way. I was just sort of saying that there were so many times, there were so many red flags, and yet it didn’t get sort of picked up on until the, like, right at the last second.
Mark Anderson [00:16:57]:
Yeah. You’re absolutely spot on. That is that is exactly it. Whilst we call it a cyber problem, it is a cyber problem in the context that, you know, through compromising a legitimate account, like, let’s say you’re the CFO, and I compromise your account, and you don’t know I’m in there, and I’m lurking, so I can see how you operate. But, ultimately, what I’m doing is I’m the the thing that I do in order to get the money out is not necessarily a, you know, an air quotes, a cyber hack. It’s a it’s a how have I interjected and how have into the business process, or how have I skewed the business process that’s happening within your organization? So you tend to find, to exactly what you’ve just talked about there, organizations that don’t necessarily have solid processes in place are more susceptible to these types of these types of, fraud. You know? So if we were if we were dealing you know, if you and I were running a company and we dealt with all of our invoices and, and payments and everything through a large Excel spreadsheet, that’s not great. But if we’d gone away and pulled in, for example, a full on financial accounting system with proper workflows in and all the rest of it, then the likelihood of these types of attacks succeeding are significantly less.
Mark Anderson [00:18:04]:
So, yeah, you’re right. We sort of say the cyber piece is probably the entry point, but it is really the business process that breaks down and falls over, which which enables the actual fraud to take place.
Karissa Breen [00:18:15]:
But is this the part that you think people is unaware of? Because they could could just turn around and go, oh, well, Mark, of course, it’s a cyber problem. And it’s like, well, actually not. If you feel like the layers, it’s actually a people problem and a process problem, and your people aren’t even really following. Well, actually, I’ve never paid the supplier before. I should probably look into that a bit more if it’s, you know, manually done. And I just think that perhaps that’s the gap in the knowledge from a business point of view that people aren’t noticing perhaps.
Mark Anderson [00:18:40]:
Yeah. You’re you’re absolutely spot on in this because the so it’s almost because, you know, because computers are involved, it is it is it is there for a cyber problem, but pick something these days that doesn’t have a computer involved in it in some way, shape, or form. That doesn’t mean that everything is a cyber problem. I mean, you know, you look on the other side of it, look at things like influence operations and so forth, where they’re targeting social media and trying to manipulate elections and so forth. He goes, is that a cyber problem? Well, it’s cyber enabled, but it’s a human and societal problem at the same time. You’re not going to solve that necessarily through just clamping down all social media platforms. You’ve got to educate people to understand or check where they’re getting their information from. So, it is that bleed, I would say, between, yes, it’s this technology that enables it, but it is in many cases, like in your scenario there, you know, it’s a business problem, or in the influence operations world, it’s a societal and, you know, understanding problem.
Karissa Breen [00:19:33]:
We we could all turn around and say, well, everything’s a cyber problem. Everyone’s got a phone. Everyone uses the Internet. Everyone operates online. How do you think we close that gap then? Because I think people sort of dismiss and go, oh, it’s Mark Anderson’s problem. He’s the he’s the cyber guy. I’m seeing that a lot more now because you say there’s a computer involved. People just naturally think it’s that IT problem.
Karissa Breen [00:19:50]:
I know we’ve spoken about this for years, but yet the problem still hasn’t really dissipated. It actually gotten worse.
Mark Anderson [00:19:56]:
Yeah. It’s funny. I was talking to somebody not long ago about this, actually, where I was I was saying exactly this whole idea that, you know, cyber is still it’s not quite made its way over from a generational perspective, because there’s still a generation of us that are out there where, you know, computers and this IT and this whole idea of having a phone in your pocket and all the rest of it was is still new. There’s obviously generations that are coming up where this is absolutely natural, and they’ve never known a world without a mobile phone or a tablet or a computer. So I wonder whether as we as, you know, as the generations move through, and for me, cyber should become a life skill, You know, as much as crossing the road, we all know not to cross in the middle of a busy road. We all know to go up and walk at a, you know, cross at a crossing. We know to look left and look right, all those types of great things. I think until cyber becomes sort of ingrained to us all as that life skill, I think they’ll always blame, you know, there’s always an out, if you like, to to blame cyber and blame computers for the problem.
Karissa Breen [00:20:54]:
Well, you’re absolutely right, because people come to me asking me for networking related issues. I said, look, I have no idea on that problem. Okay? So you’d have to find someone else who knows because they just think phone, computer, iPad, router, Carissa must know. So I can relate on that front, and I just think it’s it’s important to highlight that because as you really as as you would know being in your role, like, when you start sort of going through the forensics, sometimes some of these attacks, like, actually, this had nothing to do with that. It was so basic. And yet here we are. And, of course, it sort of then, you know, leads up to being a cyber problem in the end. On that note, I wanna get into a few more of the stats.
Karissa Breen [00:21:29]:
Now just a quick comment on on the Microsoft Digital Defense Report or MDDR, another acronym for our industry with exactly what we don’t need. We will be linking a copy of the report in the show notes for those wanting to dig a little deeper. Now from my understanding, I read you’ve you’ve gone through a lot of those stats before, which was really interesting, but a couple more were the the last report. So 60,000,000,000,000 signals synthesized. You touched on that before. 4,000 attacks blocked per second. You touched on that. Plus 300 plus unique threat actors tracked, including a 106 nation state actors, 50 ransomware groups, and others.
Karissa Breen [00:22:03]:
I mean, I could go on and on and on, but let’s focus on that onesie. What are your thoughts then on that, and what does that sort of look like a little bit more fidelity?
Mark Anderson [00:22:13]:
Yeah. So you’re right. It was 300 plus that we do, a 160 nation state, the 50 financially motivated, and then the the other categories are also quite interesting as well, like private sector offensive actors, you know, like commercial spyware, things like that. But the 160 nation state actors, so that’s a real mix. So, you know, predominant nations in that, probably no surprise, Russia, China, around North Korea, and then there’s a spattering of things like Lebanon’s in there, and a whole I think Vietnam made it on a few years ago, etcetera. So, yes, those major countries, but then subgroups within them. So, if you take Russia as an example, in Russia, you’ve got probably 3 main directorates, I guess, within there. You’ve got the Russian GRU, which is like where their Spetsnaz and all that, so it’s like a military unit.
Mark Anderson [00:22:57]:
And then you’ve got, you know, the SVR and the FSB, which are their foreign and domestic intelligence agencies. And then underneath those, you have lots of subgroups as well. So, by the time you times that out across all of the other countries, then you do end up with 160. And then plus on top of that, we also then, once one of the statistics that’s not, I don’t think necessarily covered it or it might be in the report where it talks about unnamed or groups in development, these are groups where we’ve seen some of the technique, tactics, procedures looking very similar to the ones of groups that we already know, but we’ve not been able fully attribute. So the number’s probably greater than the 160, but these are where you’re just finding these little subdivisions of capability that’s that’s breaking out in these different groups across the world. But it’s a huge number, and it and it’s and it’s growing. Now what I would say, though, is that of those 160, they’re not all created equal. You know, the world like your Midnight Blizzards and those types of folks.
Mark Anderson [00:23:50]:
They they are, you know, the the top of the top. They’re the cream of the cream, if you like, from in terms of their capability, but they do have a lot of, smaller groups in there as well.
Karissa Breen [00:23:59]:
So in terms of the numbers, would you say that it’s increased then from the previous year? Because we’ve seen a trend as you’ve clearly alluded to today. Those numbers just keep going up. So is that more substantially more than the previous year, would you say?
Mark Anderson [00:24:11]:
It’s definitely gone up, but there’s there’s probably a little bit of a skewing in that as well, in that we’ve also grown our teams and our capability and our visibility. So, you know, sometimes it’s difficult to tell, like, has number of teams grown or has our capability and visibility grown, and therefore, we can see more of them and therefore identify more of them. So it’s difficult to give, like, an an absolute. I’d say it’s probably a mixture of both because we we’ve determined within our own organization that it’s really important for us to have this capability for tracking these types of organizations for defending our own platform and defending our customers on our platform. So we’ve grown our capability, and with that, we you know, we’ve started to bring in new talent. You know, most of the folks that work in teams like Mystic or MTAC, which is the threat analysis center, The vast majority of them are all x three letter agencies from across the globe, so intelligence community, military, law enforcement, and they’ve all got, you know, those skills to be able to know and understand what these types of groups do. And then we bring them in, and we give them some awesome tools and technology, and you let them run free. And as you do that, you know, these people do what they do best, and they and they find they find more once you give them the opportunity to.
Mark Anderson [00:25:21]:
So, yeah, it’s a weird one. I’m not sure if it’s increase or just more vis.
Karissa Breen [00:25:25]:
So maybe let’s switch gears now, and let’s get into critical cybersecurity challenges. So what’s your view on this big topic, but, yeah, just keen to rattle off whatever comes to mind.
Mark Anderson [00:25:36]:
Yeah. Sure. There’s probably a couple of areas for me in in the critical cyber challenges that we called out in in that report, actually. The first one really relates to supply chain resilience, and in particular, open source software like supply chain resilience. And the other side of it is what we’ve seen in IoT and OT, which I think is on a lot of folks’ radar, but I think the, information that was published in the report for me was actually quite shocking and compelling and really got me thinking about the problem in a different way. But if we just start, talking a little bit about the open source supply chain side of things, we could easily spend the next hour talking about this in detail. It’s actually one of my favorite topics. But I think in the time we have, we could probably only really frame the problem and give some macro examples.
Mark Anderson [00:26:17]:
But if you think about it at that super high level, on one side, with open source software, you may be ingesting issues into your organization through code or components or tools you’re bringing in to develop your solutions, But also, you might be a developer of solutions that you push out to market, so you could actually be the entry point for a threat actor, and then you become the one that pushes the vulnerable pieces out into the world. But I think it’s first super important to recognize that open source software, is a key component of all modern day development practices. You know, we know that OSS makes up 70% to 90% of the code base used by developers and is present in 96% of modern applications. So, it’s clearly a crucial dependency for the software industry. I’m going to say industry, I mean, everyone from yourself tinkering around with software development at home all the way through to the largest organizations on the planet. To give you an example of how much do we use, we use approximately 83,000 unique packages, which are then used over 13,000,000 times in our products. So anybody that says still thinks that Microsoft isn’t a fan of open source, I’m afraid to say your knowledge is well and truly out of date. And actually, we’re one of the largest contributors to open source on the planet.
Mark Anderson [00:27:29]:
It’s actually normally a tussle between ourselves and Google as to who’s sort of in that number one slot. And, you know, if you go to opensourceindex. Io and just flick month by month, it’s we’re back and forth between each other, and Red Hat’s in that solid third place. But in terms of what we’ve actually observed in that space, I’d say, you know, the headline statistic is that we’ve seen attacks targeting open source software increase by 742% since 2019. And that number is really only going up. So because open source software, as I said, is you’d be crazy to do modern software development without it. Nobody’s creating things from scratch. But when we think about that problem, there’s probably 4 broad risk categories.
Mark Anderson [00:28:12]:
And in those categories, it’s probably we think about vulnerable artifacts, so things that you’re bringing in that have unintentional issues in, or maybe they’re good right now, but not good later. So, think something like a Log 4J as an example. Malicious artifacts, which are clearly terrible things to bring in in the 1st place because they’re malicious, but also things like unavailable artifacts as well. Right? I mean, you might think the fact that a piece of code is no longer available, is that really a cyber issue? Well, availability is a cyber issue. It’s part of the CIA triangle, and if pieces of code disappear off the internet and your build pipelines depend on them, then your build pipelines will actually stop. And then rogue artifacts, so bits that people have just brought in and inserted into your code, but you’ve got no way of tracking that that was actually brought in, and, you know, back to the good old cyber saying that you can’t defend what you know about. So, you know, there’s there’s plenty of and I have to say earlier I could, I could talk about this topic for ages, but I think one of the things that or trends that’s changing and has started to change, which has really got me excited about how we start to, you know, take control of this OSS world is the push towards the use of software bill of materials, or SBOMS for short. There’s another acronym for you that we all need.
Mark Anderson [00:29:25]:
SBOMs, and this is basically like a manifest that ships with your code. Right? So if you go away and get a software solution with an SBOM, it’ll say, these are all of the components which actually make up this solution, and here’s all of the version numbers. And if you were tracking the US presidential order back in May 2021 on improving the nation’s, cybersecurity posture, they talked about enhancing software supply chain, and I think it was section 4 that said, the software provider must provide a software bill of materials for every product, either directly or by publishing it on your website. And in that scenario, it was really for US government purchasing, but and that was driven by the SolarWinds incident, right, and knowing what’s actually in those products. And I really like this because this is something that we’ve we as an organization have always done internally in our own build pipelines, because you need to know what components are in the thing that you’re building and where did they come from. And it also means that, you know, when something like a Log 4 j hits, you actually just need to go to your database of SBOMs and have a little query through it and go, well, okay. Do we have that vulnerable component in our network, and and where is it? But, I mean, that’s that’s on the defensible side, but I also love the idea that, you know, as we move towards this world, even changing your purchasing habits. Right? If, I’m trying to sell you a solution, the first thing you should probably ask me for is, do I have an s bomb? And then I can hand you the s bomb, and you can then pull that in and cross reference it, you know, with a vulnerability database and come back to me and go, well, there’s 10 known CVEs in this that are really terrible, so I’m not gonna buy your product until you fix it.
Mark Anderson [00:31:00]:
You know, it’s a really, really positive move. So, for me, I’m quite excited about that and where that’s heading. But lastly, on that topic, I’d probably also say that we’ve actually contributed to what’s called the Secure Supply Chain Consumption Framework, or the S2C2F, I think is the acronym for that one. And and I know, that was one that I keep tripping over as well with my tongue, S2C2F, and it’s made available for anyone that’s got a dev team in their organization, and it really outlines a set of requirements of how you can improve security around consumption of OSS in your own developer workflow. So it’s something that’s worth checking out for sure.
Karissa Breen [00:31:35]:
Okay. I wanna press on a few questions on that topic. I have interviewed a guy last year that the whole thing we spoke about was open source software. On that note, would you say the s bombs, would that then help with from a governance slayer? Because some of the conversation I had last year was around exactly, like, especially on your first points around vulnerable artifacts and then malicious artifacts, like people not really knowing. And then, you know, as you said before, you can just look at the s bomb, you know, put in a query to say, oh, yeah. Okay. We found it, which is a lot easier than perhaps not having that. So would you say that’s gonna be what helps with that governance layer?
Mark Anderson [00:32:10]:
Absolutely. I mean, it’s gonna take time to get there, but, again, think of a world where and and this is sort of how we did it internally, by the way. So when when Log 4 j hit, and this is, you know, a real world example, that MSRC team that I talked about earlier, which is like that frontline response team, they just looked up in the system because every one of our build pipelines creates those SBOM manifest, and therefore, that goes into the system. So rapidly, you can go through and sort of say, okay, what components do we have and where are they deployed, and are they a vulnerable version or not? So that cuts down your response time. So if you think about when everybody had to respond to Log 4 j here locally, I’m sure you’ve had lots of conversations where people were running around with their heads on fire because they’ve got 3rd party software from people, and they have no idea whether Log 4 j was in there or not. So they have no idea whether the thing they deployed is, or was vulnerable. So for me, as we as we evolve and SBOM has really become a thing, I think it will massively help with governance. I mean, imagine, again, like, if you’re deploying into cloud, and every time you deploy a software into cloud, you also upload into the cloud system, the s bomb, and then just let the platform take over.
Mark Anderson [00:33:11]:
And then one day, it’ll ding you and say, hey. Just so you know, CVE, blah, blah, blah, blah is actually, going to impact your application that’s sat out there right now. That’s more proactive than you having to go away, find that the CVE has been published, and then work out does it apply to you. I think we’ve got to sort of flip it on its head. It’s more like proactive.
Karissa Breen [00:33:30]:
So how many people out there do you think that have procured open source software, no s bombs, don’t know really what’s in it, if there’s an issue. How like, what do you think percentage of people are? And then would you say this is a 100% what keeps people up at night? Because they don’t know what they don’t know. What’s in it, where it is, if there’s a problem, how do we track it? And if we do have to go and do that, it’s gonna cost more money, more resources, more time.
Mark Anderson [00:33:52]:
Yeah. I I I don’t think there’s a great awareness of it. I mean, I’ve done several presentations on it, and everyone’s gone, oh, I sort of heard about that. Oh, yeah. It sounds really interesting. I mean, even if you look at the, you know, the government information security manual, the ISM, there’s only a couple of mentions to SBOM, so it’s really in that infancy right now, I would say. In fact, interestingly, I was part of a team a few years ago that helped startups with mentoring, and it was a startup, an Australian startup, that was making tooling where you could insert your SBOM and do all of that tracking and exactly what I just talked about there where, you know, you could go in and look up in your SBOM database whether these things existed. And you could tell he’s really excited about it, but he’s also struggling to sell it because nobody fully understood what the value was at the time.
Mark Anderson [00:34:33]:
But things like, as I say, Log 4 j and a bunch of others would really sort of bring it to the forefront. But completely, I think it’s not been talked about, and it’s gonna take a lot of change as well. I mean, you know, as I say, we’ve done it internally, and we’ve had to do it especially in the US as well, because otherwise we wouldn’t be able to sell to US government. But for a lot of software houses, they’re going to have to implement it into their their build their build cycle, and they’re going to have to start publishing these things out. And that that’s gonna take time, and it’s gonna take a bit of a change in culture or a regulation. 1 of the 2.
Karissa Breen [00:35:05]:
So let’s flick over to is it the s 2c2f? Is that right?
Mark Anderson [00:35:09]:
That’s it. Yeah. Yeah. See? It’s it’s already stuck in your head to see how how amazing is that.
Karissa Breen [00:35:13]:
Ask me again tomorrow. So talk to me a little bit more about that because, again, I’m at the coalface of this industry. Like, of course, you know, supply chain is just a massive topic that keeps, you know, getting covered a lot. So how does that sort of work in a little bit more detail?
Mark Anderson [00:35:28]:
Yeah. So so, really, that’s just a framework that that we’ve put out that will break down the ways in which you should be thinking about addressing open source in your environment. So, like that example I gave earlier about those 4 different categories, so vulnerable, malicious, unavailable, and rogue, and then breaks that down into the, well, how do you need to think about building out your environment when you’re using these things? So a good example on that is, well, do you allow do you allow your developers to go and fetch things directly from the Internet? Well, no. You you proxy it out and then ensure that when you’ve collected an open source piece of code from the Internet, not only do you then store it on a proxy, so you as an internal service so that you’ve you’ve you’ve addressed the unavailable component of it? When you’ve brought it in, you should then also be thinking about running it against known vulnerability databases. If you’re a little bit more advanced, then think about how can you run your own code scanning, you know, analysis tools over it to look for issues. And then the rest of the framework talks about, well, how would you, into your build pipelines, enable that SBOM type approach to show trail of, a, where that package came from, and how it went through the build life cycle, and how it came out the other end. So there’s a whole framework around how to think about all of those various components and what you should do. And and I think it’s a really well, it’s quite comprehensive.
Mark Anderson [00:36:48]:
It is really a, you know, crawl, walk, run. Not everybody will be able to do everything on day 1, but there’s some very simple things that you could do to start with. Like, every time you use some open source, check it against a, you know, well known vulnerability database or use. So organizations like Google and so forth and others have also created Trusted Build. So instead of you having to rely on a component that somebody’s built on the Internet and you download the component, well, actually, trusted organizations like Google will have pulled the source code down and compiled it, and you can get the binary directly from them. So it’s all little things like that of and the whole framework of how to start thinking about that from end to end.
Karissa Breen [00:37:24]:
Okay. I quickly wanna now get into maybe some of the stats around critical infrastructure and then the state of IoT and OT security, which I think is really interesting.
Mark Anderson [00:37:32]:
Yeah. Yeah. Sure. So in the area of OT and IoT, like, when I read the report that we put out, it was one of those weird moments. You know, when I read it and went, oh, wow. Surprise it. But then in that same thought bubble, I was like, not really. You know, it’s an area that gets talked about all the time as being that weak point in the world of cyber.
Mark Anderson [00:37:50]:
But when you actually look at the stats versus, you know, hypothesizing about it, that was the bit that really, really set me back a little bit. So just to level set where we get our data from on that, it’s actually coming from within a team in Microsoft that’s responsible for Microsoft Defender for IoT, which is a capability we have. They it’s the mixture of their data plus working with industry partners as well. The reason why I found these stats so interesting is because the numbers really do paint a picture, and I’ve got probably there’s probably 4 stats that really made me sit up and think. I’d say the first, looks at devices in industrial control networks, and this is coming from sensors that are deployed in the real world data, and it’s pulled back into our telemetry. And these teams found that the data showed that 78% of devices deployed in these networks are vulnerable. Of those 78 with known vulnerabilities, 46% of them cannot be patched. This is because the vendor no longer exists or it’s out of support.
Mark Anderson [00:38:45]:
And then 32% of that 78 were vulnerable and could be patched, but are not. In that sort of remaining 22%, so the 78 and then the 22, of that 22, 15% didn’t have any CVEs, and and 7% weren’t patched. Now just keep that 7% in your mind for a moment. Next stat is 25% of OT devices on customers’ networks are using unsupported operating systems as far back as Windows 2000. And I’m sure that somebody’s listening and going, I can beat that. I probably got an NT 4 or an NT 351 sat somewhere under a desk, but 25% as far back as Windows 2 1,000. And then the third stat was around 57% of devices on legacy firmware. That’s to say, firmware where there’s a more recent version are export to 10 or more CVEs despite there being a more recent version of the firmware that would significantly reduce that number.
Mark Anderson [00:39:39]:
And in many cases, the firmware updates are over 10 years old. So that’s to say the device hasn’t been updated for 10 or more years. And then the last one, which sort of blew my mind, was an area these are, at least, a, application or a runtime that’s heavily used in programmable logic controllers called the code assist. And this runtime, a bit like think like a dot net or like a Java type runtime. So, Codesys is used on things like switching systems, motors, all in industrial settings, And it’s used widely in the industry by over 500 manufacturers supporting all sorts of architectures across the planet. And our team did some extensive research looking at the SDK and found 15 new 0 day vulnerabilities in it. So think about that for a moment. This is a runtime that’s used to control everything from power grids, water treatment, manufacturing, so threat actors can shut down, tamper, steal information.
Mark Anderson [00:40:30]:
So for me, when I looked at these stats, they really made me go, wow. You know, I knew this was a problem, but the numbers are a little shocking, and it got me thinking, well, how do you solve that? And and by the way, this is a Mark Anderson viewpoint versus the report recommendation because I think I’m probably being a little bit more blunt than the professional report would be. But I think this is one of those moments where we really have those that control manufacturing lines or power grids, that position has always been, we don’t update these systems because the cost of downtime or failed upgrades is too great, and it’s really one of those areas that subscribes to the if it ain’t broke, don’t fix it methodology. However, I’m sort of gonna suggest that that position is no longer tenable. Right? You know, think cyber as either an extortion tool in a criminal sense or the disrupt and degrade or disruptive aspect of it in a nation state conflict sense has changed that forever. So I’d suggest that if you’re sat in the if it ain’t broke, don’t fix it crew, then I’d suggest it’s probably better to have your own plan to upgrade or replace the system where you can control it, test it first, and have a rollback plan. Because if you don’t, somebody will probably do it for you, take it down for you, and you have no control over that. And your downtimes are likely to be longer, and your potential for things like second order effects, like industrial accidents, most certainly greater.
Mark Anderson [00:41:55]:
And I absolutely realize, you know, when I make that statement, it’s easy to just throw those words out, and it’s probably much harder in reality. But I think it’s where you’ve gotta push through that too hard headline, because if you were to take everything that I just talked about there and and took it from a general sort of IT cyber perspective and replaced all the words that were IT and OT and and said that it was and put the word IT in instead, you would never accept a position where only 7% of your IT network fleet was patched, or you were running computers that had Windows 2,000 on it, or had patches that were available for over 10 years that you haven’t complied to your computer. So, you’re as an anti admin, you’d be fired by this point. Right? So for me, it’s one of those moments where, yeah, you’ve definitely well, he’s well, he’s been getting away with it for so long. He’s been getting away for 10 years, so maybe not. But, yeah, you just get to the point where you go, is this really where the industry has to have a a real introspective look? And I hope it just doesn’t take like an industrial accident for somebody to go, oh, yeah. We should really do something about that.
Karissa Breen [00:42:51]:
So when I go back to the stat from understanding, it was 46% that basically just can’t be patched. Is that correct, you said?
Mark Anderson [00:42:56]:
Correct. Yes.
Karissa Breen [00:42:57]:
So so so what happens now? Does that was that does that just mean as an industry, we’re just hoping and praying that no one’s looking there? Is that what you’re sort of saying? Because what happens with that?
Mark Anderson [00:43:08]:
Well, I guess, some of those moments where you go, well, if you can’t patch it, then how do you mitigate it? I guess that’s where you have to come up to. You know, Like most things, if you can’t if you can’t fix the problem, how do you how do you mitigate it? Do you does that mean, for example well, hopefully, it’s probably on an air gap network, but okay. That might not be on an air gap air gap network. So is there another control that we actually can put around that particular piece of equipment that would prevent that exploit from being exploited? So how do we block the path to exploit? So, ideally, you know, when something’s that far out of date, you would be hoping that, know, somebody would be thinking about how do you replace that equipment. Because if it’s no longer supported or the vendor no longer exists, then when that thing breaks, it’s it’s going to affect your systems anyway. But, yeah, from an IT and cyber perspective, it is more of a you’d have to sit back and think, well, how do I prevent that thing from being exploited, and what are the mitigations that I need to put there?
Karissa Breen [00:44:00]:
Well, I mean, 46% is pretty high, not 6%. And then you sort of went on to say 32% could be patched but haven’t been. So what is that? Well, I mean, look. Going back to your earlier point around, there might have to be a severe accident or catastrophic event for people to start paying attention. I mean, we’ve seen that even with the offices, the Medibank sort of breaches. We don’t wanna get to that stage, but I think almost it forces people in hand to be like, oh, well, we should have thought of that, you know, running, you know,
Mark Anderson [00:44:34]:
obviously want any form of, you know, industrial accident or something to be to be the catalyst. So the probably the only other way that you might see something like that happen is potentially through regulation, maybe. I don’t know. That’s probably potentially one way that you might find things like these might get pushed along a little bit harder than they currently are today. Because until, you know, you actually feel the pain of it, it’s one of those things that you can just push down. Kick the can down the road, I think is the phrase.
Karissa Breen [00:44:58]:
Yeah. Absolutely. You know, we don’t want that. I just think that, you know, sometimes history does repeat itself and, you know, we’ve seen this over the years. And as much as you wanna talk about these problems, people sometimes just don’t move because they’re like, oh, well, it hasn’t happened yet. So what is there any sort of final comments and or closing comments you wanna leave the audience with today, Mark?
Mark Anderson [00:45:18]:
Probably say go away and read the reports. I mean, we’ve just talked about a you know, just skimmed it. It’s a 130 pages, so it’s most definitely go and get yourself a massive cup of coffee, and flick through it. But if you don’t have the time to do that, as I said earlier, there are some there are shorter versions of it. We did do executive summaries, so I know you have a lot of busy execs listening to your podcast. So if they only want the 2 and 3 page version of just the the key highlights, you can go and download those separately, and you don’t have to go and do the full 130 pages. But I’d I’d suggest go away and have a read of it, a, because it will give you a view of the world in terms of, we didn’t cover nation states as a good example today. But as I also mentioned earlier, it’s not just doom and gloom.
Mark Anderson [00:45:57]:
There are some real good practical examples of ways in which you can start to build your cyber defenses based on what our people that are on the ground are actually seeing, be that through, you know, our telemetry and our capabilities in that side, or even teams like the Microsoft IR team, the the team that run-in when a customer has an issue and looks around the network and helps them fix and eject the eject the adversary. So there’s a lot of learnings from those folks at a global level. So plenty of of information in there, and I suggest go away and read it. There’s lots of great stuff in it.
Karissa Breen [00:46:39]:
Thanks for tuning in. For more industry leading news and thought provoking articles, visit kbi.media to get access today.