Podcast

Planning for Resilience Amid Global Cyber Threats

Posted: 5th May 2020
By: MONICA TODROS

Our guest is Adeel Saeed, veteran cybersecurity expert, technologist, and former CISO at State Street, previously having worked for organizations including the London Stock Exchange and the American Stock Exchange.

Our conversation centers on Adeel’s mantra of planning for resilience and eventuality amid a growing range of global threats — in the cyber realm and beyond. He shares his experience after 9/11, how it’s informed his approach to preparing for the worst, and how sometimes, luck plays a part in disaster recovery. We’ll get his views on threat intelligence, and learn why he thinks now is a great time to join the cybersecurity industry.

This podcast was produced in partnership with the CyberWire.

For those of you who’d prefer to read, here’s the transcript:

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and welcome to episode 158 of the Recorded Future podcast. I'm Dave Bittner from the CyberWire.

Our guest is Adeel Saeed, veteran cybersecurity expert, technologist, and former CISO at State Street, previously having worked for organizations including the London Stock Exchange and the American Stock Exchange.

Our conversation centers on Adeel’s mantra of planning for resilience and eventuality amid a growing range of global threats — in the cyber realm and beyond. He shares his experience after 9/11, how it’s informed his approach to preparing for the worst, and how sometimes, luck plays a part in disaster recovery. We’ll get his views on threat intelligence, and learn why he thinks now is a great time to join the cybersecurity industry. Stay with us.

Adeel Saeed:

An infrastructure technologist by trade, I started in financial services a little while ago and worked my way through the ranks through various financial services organizations, such as JP Morgan, American Stock Exchange, London Stock Exchange, and then State Street. Over time, I got a hold of being a corporate CIO, managing corporate systems, corporate functions, and managing information security as part of that, and then, more recently as the global chief information security officer.

Dave Bittner:

Were you someone who was interested in security or in computers from a young age?

Adeel Saeed:

I like to break things, and I like to build things, and I like to find solutions for problems. So, that naturally layered my interest towards computers, computer science being my major in school as well, and I was always leaning towards the infrastructure side, less the development side. On the infrastructure side back when security was not that predominant, but it was already built in into all system admins or system engineers when they were building solutions. I had a keen interest in how to build, or at least in how to manage secure systems and that led to the whole security side of things.

Dave Bittner:

In terms of working with global organizations the way that you have, what is a typical day like for you?

Adeel Saeed:

No two days are the same, and if a day starts during the day, it would be a blessing in disguise. It is really a very collaborative approach because being regulated companies, you need to be able to comply with all the global regulations, which are set in place to first, manage the safeguard of the data that the organizations hold, processing of that data, dissemination of that data and safeguarding of that data.

Those regulations were put in place over many years. Some are new, some are really old. I think the old ones, both the regulators and the organizations have a good handle on, and they have learned by trial and error how to manage it and how to comply with it. It's mostly the new ones that have come around data privacy or data security, which are ever evolving, are always subject to a little bit of debate and professional back and forth, which requires understanding and interpretation because companies have not deployed it, no one has seen what good looks like, and that always becomes an interesting conversation with the regulators, which also drives a lot of innovation, which also drives a lot of modifications.

So, what I would say is, where a business would require a product or an end user would demand a particular item, dealing in this regulatory landscape also drives a lot of innovation, and it also drives a lot of questions. If we are protecting one side of the house, how would we protect the other side of the house, for example?

Dave Bittner:

Being that you're doing business globally, that means that you're dealing with a lot of regulations from different nations, different ... The EU has GDPR, the U.S. has different regulations even on a state by state basis. That's a lot of different regulations to juggle, yes?

Adeel Saeed:

Absolutely. It’s different regulations in different locations. At least in Europe, one could easily say GDPR is the predominant regulation that everyone has to comply with. Within the U.S., with the various states, there are different regulations starting from the East Coast to New York with DFS, all the way to the West Coast in California coming up with their own. Understanding the intention of the regulation, I believe, personally speaking, is more important than the letter of each and every step that is required in their regulatory compliance.

Because if you take a step back and look at GDPR and look at all the data privacy regulations that are there or are coming up now across different states and different countries, including Australia, you need to be able to protect the data in a way where it's not accessible by someone who shouldn't have access to it, you should have sound identity and access controls in place, and you should have a way to monitor, detect, and be able to respond in the event that data is accessed by someone who shouldn't access, and notify the recipient of that data. On top of all of that, you need to have the ability to give that end consumer or that end user the ability to consent whether their data should be stored or not in certain cases where you have the ability to do that. Just simplifying and taking out a hundred pages of regulation and just looking at those five or six paradigms can be a good starting point to find solutions or to find where you need to be compliant with where the gaps are or where the gaps are not.

Dave Bittner:

It's interesting to me that you describe the relationship as being collaborative rather than adversarial.

Adeel Saeed:

It is collaborative. Having an adversarial relationship with the regulator only gets you one place, which is back to the table to have the conversation. I mean, it's a very collaborative relationship, and I would say it is a relationship like you would have with anyone, even with a business. You would have professional disagreements, you would challenge professionally where there are gaps and where you are right, or where the interpretation is not being done accurately. But at the end of the day, the end result, if you take a step back and look at it, what the regulators want to do is make sure that you are not doing something that you shouldn't be doing, and you're complying with protecting the data, and as a firm, you also want to do the same thing, whichever firm it might be. All firms that I have worked for have been in that business of making sure that consumer data, or business data is protected with the highest level of integrity.

Dave Bittner:

What's been your approach to resilience. Obviously, with the COVID-19 situation, that's been brought front and center as organizations have had to adapt and adjust. What's been your approach to that throughout your career?

Adeel Saeed:

Planning for resiliency and planning for an eventuality has been the mantra of my career. Going back a couple of years, I would say over a decade, when 9/11 happened, that was a wake up call for many of us, including myself and at that time I was working downtown, and having seen the whole event unfold in front of my eyes and having offices and data centers downtown by Wall Street was an eye-opener.

Ironically enough, we had just done our disaster recovery testing the weekend before 9/11 in Upstate New York, and back then, it was a cold site. So, you have to recover everything from backup tapes, and run command lines, and configurations, and restore the data. So, it wasn't a hot, hot setup or the existence of cloud was nonexistent minus the clouds out there.

You really had to go through it, and we got lucky. We had practiced it the week before, so all our backup tapes were still offsite. They were due to come back. They had not come back yet, and unfortunately, 9/11 happened, and we got lucky because we invoked a disaster and we went back to our recovery site, Upstate. Had all our equipment and our backup tapes there, and we were able to literally use little muscle memory because we had just done it the weekend before, albeit in a state of shock. We recovered the systems and we were up and running in 25, 26 hours with minimum loss where there were other larger organizations, which were in the same facility that were down for over a week, and two weeks. It wasn't that we did it better and you didn't do it better, it was just that we got lucky and we did it before.

But learning from that, what I practiced throughout my career and ingrained in my teams, and of course to the organization is, you don't have to be lucky, you don't have to be a hero. You need to plan properly, you need to practice and you need to practice enough for any event. So, whether it's a disaster like 9/11, whether it's a hurricane that could happen, or whether it's a pandemic like today, do you have the right tools, the right monitoring, the right solutions in place to be able to adapt to that? Which leads to secure remote access, which leads to not boiling the ocean, but plotting the ocean and making sure the systems that you are most worried about are your most important systems. They are the key to the organization. Instead of worrying about that word document that sits on a marketing computer, are you really going to focus on that, or are you going to focus on that application which is your bread and butter that actually what the organization is dependent on?

Dave Bittner:

What are those conversations like with your board of directors when you're laying out these types of plans, speaking to them in their language, what does that look like?

Adeel Saeed:

It's not easy to start with, but over time boards have evolved and many people sitting on the boards have received a lot of information and are more prepared than they were before. So, I would say over the last 10 years, the boards that I've interacted with have really started to understand what it means to have disaster planning or resiliency planning.

Now, disaster recovery was always there. Business continuity was always there. Resiliency is almost a new term. It's not a new term per se, but it's a new term being used. So, at the board level, much information comes from the press or what has happened outside to others or to our peers in the industry and they look at examples, or if there is a regulatory compliance, for example, they'll look at that.

At a board level, as long as you can articulate it in a simple manner, and again, simple is very objective. In a manner which is digestible in where we are from our setup, where we need to go in order to derive the benefits in an eventuality that a disaster were to happen. I'll give you an example. For one of the organizations that I was working for, we had remote access which was great. It was there only for people that needed it. They issued their own devices, and we took a step back and said, "Well, do we really need to depend on that because in an event of an issue or a disaster or a business continuity event, would we be in a position to issue laptops to people and sanction only the chosen ones? Or should we make it more, I would say, democratic, which is, anyone can access it from any device as long as it's secure, complies with certain policies and gives people the ability to access the systems?"

Explaining that change ... Now, that change is so subtle because one would sit back and argue, "Why would you go and invest all this money in setting up an infrastructure when we already have it and it works fine? And if we have business continuity, we have laptops, or we can give people devices." Because, no one had gone through what we are going through today. So, how do you explain the future in the past?

So, explaining that was not simple, but what we had to use as the validation, or as the approach was, you're looking at an aged system and an aged technology which is susceptible to a lot of issues, where you have staff issues, and if you are a global organization or if you are a local organization, how would you mobilize the resources? That's one angle.

The second angle you use is monetary; the amount of money that you're spending in buying devices and hardware and software licenses. If you were to go into a more robust bring-your-own-device model, would you save on that money? And that gets the finance side of things taken care of.

So, you almost have to approach it in different manners, identifying and tackling issues which are representative of any organization in the world, which is, would it improve business processes? Great. Would there be a return of investment? Sure. Would it make us more agile? Great. And would it also provide us with the flexibility that we can use it elsewhere instead of it gathering dust? So putting all of that together and then simplifying that notion takes work and that's what you present, and if you're lucky you get it, and if you're not, then you still keep arguing your case. But I think I feel for everyone coming out of this crisis, anyone that's sitting in a seat with their boards or their management teams, they will have it really easy compared to many others that might have to go through many challenges.

Dave Bittner:

You mentioned how experiencing 9/11 informed the decisions you made after that, how do you suppose this COVID-19 situation is going to inform how we go forward from here?

Adeel Saeed:

In a variety of ways, It will inform people of the necessity to promote collaboration in a more effective manner and a self-service mode. Still, many organizations don't have a true self-service mode or the users of the technologies are very much dependent on the technology teams of the organizations to support for instance, a video conference or a conference call. This will inform a lot of people on how to be self-serviced.

This will definitely increase the bar for security, and I'm not saying it because security is close to my heart, but I'm saying it because security ... Where it was confined to the virtual four walls of any organization globally has now been expanded to everyone's kitchen, living room, any place in the house, the backyard, because you're no longer in the office, you're everywhere.

It will bring up newer ways to monitor and detect, it will bring up newer ways to provide secure access, and more importantly, it will also make companies realize that they need to be able to do these tests frequently and practice these sessions and practice other scenarios, which we have not thought of and not just in a paper-based exercise, but true tabletops, real-time exercises. Training and awareness would be key, and it would go to the top of anyone's list, while the technology teams in the background improve their overall security posture and bring in tools and technologies that are more easy to use.

Dave Bittner:

I want to shift gears a little bit and get your take on threat intelligence and the part that you think it plays in an organization's security.

Adeel Saeed:

I would say threat intelligence is the nucleus of anyone's security operations, without active threat intelligence, without real-time intelligence coming through, it's very hard to be able to protect and manage the security posture of an organization. So good threat intelligence is key, but with good threat intelligence that is filtered, that is specific, that also comes with a lot of background and data is good as well, because there are many places where you can get threat intelligence from, you subscribe to sites, you have intelligence communities that you work with, you have different software providers. But what's key is, how is that intelligence coming through, as it pertains to you from an organizational standpoint? How the indicators of compromise that come with that intelligence, if any, are available to you? And what level of information are you getting to be able to quickly react to it? That's very important.

Dave Bittner:

What recommendations do you have for folks who are shopping around for threat intelligence, trying to figure out for themselves, how much they're going to do in-house? How much they are going to engage with an outside provider, those sorts of things. Do you have any tips for how to start that journey?

Adeel Saeed:

Sure, I have suggestions. Because again, we are all learning in this environment and I'm a student of this practice instead of a teacher, but on this ever learning journey, I would say build it in-house to a degree. There's a shortage of security professionals globally anyways, there's a shortage of security analysts that can actually analyze threat intelligence and be able to decipher what to do with it. Getting intelligence is there, but to be able to interpret it, to be able to see or get that data again globally is very difficult.

Building it internally in itself, I don't think anyone will be successful because the depth of information you need, the places that you have to go to get threat intelligence, all the different sites globally, to dark webs, to be part of that community that might be a part of that APT group that might be doing this to get intelligence is very difficult. So you have to rely on the experts.

My suggestion is, definitely set it up internally where you can have at least intelligence sources coming in and being aggregated, but do go outside, do go to trusted real-time players that are out there, that have dashboards that are simple, that have experience with people that are sitting in this and doing it for years, and using this combination of people, process, and technology, and have analysts that can sit and decipher it and provide that information in real time. There're companies out there. I would say, don't just try to build it internally. You will fail successfully in not getting all the intelligence, but do rely on intelligence firms that provide the solution.

And I think that would be a good starting point and a leg up also because in the security world, Dave, we don't wait ... I mean, if you're going to wait to do things, the bad actors or the threat actors are not waiting for you to put solutions in place. They're on a pace, so if you procrastinate or if you think "Yeah, this won't happen to me." I think we all said we would never be stuck at home and locked down in the continental United States ever. I think the history says it all.

I think post this pandemic there will be a huge demand for security professionals. So between colleges, universities, or organizations, anyone that is in technology or not in technology and wants to go into security, I think this is a good time. If they're working already to go and lend their support to the security teams within the organizations, if they're not working, I have great opportunities to find work in the security field. So more of the merrier, this is my plea to get more people into this industry because we definitely have a shortage.

Dave Bittner:

Our thanks to Adeel Saeed for joining us.

Don't forget to sign up for the Recorded Future Cyber Daily email, where every day you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you've enjoyed the show and that you'll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast production team includes Coordinating Producer Monica Todros, Executive Producer Greg Barrette. The show is produced by the CyberWire, with Editor John Petrik, Executive Producer Peter Kilpe, and I'm Dave Bittner.

Thanks for listening.

Related