Keeping Iron Man Safe with Mike Wilkes, former CISO of Marvel and ASCAP

Show Notes

In this episode:

00:00 — Highlight Clip

02:12 — Introductions

02:34 — Data Classification

04:01 — Document Management

05:34 — Marvel Security

06:55 — What Does Marvel Excel At In Information Security

08:10 — Tribal Knowledge For A New CISO

09:42 — Heraclitus

10:40 — Hackers

11:50 — Hacking Story

13:39 — Lessons For CISOs On Hacking And Experimenting

14:59 — Advice For New CISOs Starting a Team

19:07 — Tips For Companies Looking To Improve Security

22:36 — Sign Off

Mike Wilkes:

LinkedIn — https://www.linkedin.com/in/eclectiqus

Links in this episode:

The Security Chaos Engineering Book — https://www.kellyshortridge.com/book.html

Thanks To Our Sponsors:

Heinz College CISO Certificate — https://www.heinz.cmu.edu/programs/executive-education/chief-information-security-officer-certificate

CISOWise vCISO — https://www.cisowise.com/

Follow CISOWise on all podcast apps.

Website — https://www.cisowise.com/podcast

Show Notes & Transcript — https://www.cisowise.com/podcast/008-keeping-iron-man-safe-with-mike-wilkes

Transcript

[00:01:57] Introductions

[00:01:57] Earl Crane: Mike, welcome to the program.

[00:01:59] Mike Wilkes: Well, thank you. Oh yeah, no, there is no cooler job than keeping Iron Man safe.

[00:02:03] Mike Wilkes: So I'm excited to share a few stories with you today and help provide some insights into how I found my path into the world of information security, and eventually into the role of CISO, CISO, there's different pronunciations. So,

[00:02:19] Data Classification

[00:02:19] Earl Crane: I'd like to hear maybe some examples of some of the common data security mistakes, and cybersecurity mistakes that you've either seen other companies make that you've learned from, or maybe some that you even made yourself that you'd want share.

[00:02:33] Mike Wilkes: The job of information security should begin with data classification. And data security has to begin with data classification, but it's really actually common, I've found, for a company to not actually have documented and defined what its data classifications are. And I think there should be at least four - public internal, confidential, sensitive, and confidential restricted.

[00:02:58] Mike Wilkes: And, secondly, the same companies they often don't have any tools or processes in place to discover confidential data on, for example, unstructured sources like file shares or cloud-based document repositories. A lot of these companies then further don't have any kind of document retention policy. There's a lot of sensitive data that can be subpoenaed for example. When I worked at the Chicago Mercantile Exchange, we had a very strong record information management policy, and it would have been really horrible if you had documents around 11 years later when they should have been deleted seven years ago.

[00:03:30] Mike Wilkes: And that's an important part of any company, certainly large companies that go through mergers and acquisitions. You have to understand what's a record. You have to understand what it's classification is, and you have to be able to prune with prejudice in order to keep the company from being exposed to unnecessary risk.

[00:03:46] Document Management

[00:03:46] Earl Crane: I appreciate that. Coming in from the government side, we have NARA, National Archives Records Administration. NARA sets those retention policies that you need to follow from a government perspective. And under the force of law in some cases, like the Presidential Records Act, we're required to maintain those records. But not every organization has the benefit of some legal authority.

[00:04:12] So are there any times where you've seen it particularly helpful, right? The oh, thank goodness we marked the document, or we retained it or at the same time, any examples where you've seen organizations get caught because they didn't?

[00:04:28] Mike Wilkes: One of my favorite hobbies is whenever I'm given a Word document from someone, I go to the file menu and I look at properties. And then I look at the summary information about that document. I found some organizations had lifted a bunch of their policies from some other organization, and they forgot to clean out this metadata on the files.

[00:04:48] Mike Wilkes: If you have good metadata and if you have good data classification tools that can go and discover and scan data, and then insert this metadata, then you can actually have programmatic enforcement of DLP, right? And if you don't have the technique of scanning for the data, and you don't have a tool to do it, you're going to have a hard time demonstrating that you're actually in control of your data.

[00:05:08] Earl Crane: And to your point, it also highlights the diligence that the organization that sent you the document in the first place, that they didn't even bother to check the document properties, run any sanitisation on it.

[00:05:19] Marvel Security

[00:05:19] Earl Crane: Are there any times where you, because of the document management that you put in place, really saved the day, was particularly helpful, you're glad that had been taken care of?

[00:05:30] Mike Wilkes: Marvel has some of the best security on planet earth, right? How can you release a film where the actors that were in it don't even know what's going to be in the final product until they see it on the red carpet day themselves?

[00:05:40] Marvel would send scripts to people with completely bogus scenes that they're not in, and that was a form of digital forensics. And, tagging to know where the leak came from. And so this was certainly a valuable aspect, not just metadata, but hidden forensic data so that you can put it into the document. So you know who created it, who requested it, and on what day, and then you can track it down later. So those are certainly preparing yourself, for the worst.

[00:06:05] Earl Crane: What year was that that Marvel was digitally watermarking, their scripts?

[00:06:11] Mike Wilkes: Oh, I'm pretty sure they've been doing digital watermarking for a long time. Because you have so many people involved in the production process, right? You've got it translated it into multiple languages. You're seeing prereleased film footage, on the studio side, even the creation of the stories and the first pass scripts, we used to set up an off the network machine in a conference room in order to do that in person with no chance of eavesdropping. The degree of control there I think is unparalleled. I think even Apple has leaks compared to Marvel, right?

[00:06:40] What Does Marvel Excel At In Information Security

[00:06:40] Earl Crane: Are there any examples or anything that you learned, when you were digging into that tribal knowledge at Marvel, that you could hold out and say now that you've seen others as well in the financial sectors, or Marvel was doing something particularly well in the information security space, maybe not even realizing it, that you could then apply across other fields?

[00:07:00] Mike Wilkes: Well, sure. I think the licensing operations was a particularly sophisticated operation. You don't want Captain America doing something unsavory with his Twitter. You don't want something happening that's out of character, because it's all about brand, right? These are franchises all of the 5,000 or 8,000 characters in the Marvel Comic Universe. Each one of them could turn it into a billion dollar franchise.

[00:07:25] Mike Wilkes: Technically Captain America himself is not an A-list character back in the old days. But these incredible franchises were built up over it and from these characters.

[00:07:33] Mike Wilkes: And, so I think that the sophistication of the digital asset management, the DAM that had been created, full of all of these licensing and contract rules that have been built up over time that explain all sorts of complicated things that people just muse and ponder about on public forums and say, "I wonder why this character never appears with this character?". And it turns out it was some obscure licensing and intellectual property clause that was written into it.

[00:07:55] Tribal Knowledge For A New CISO

[00:07:55] Earl Crane: For a new CISO that's dropping into an organization that needs to quickly understand the culture of the organization, the tribal knowledge of the organization, what advice would you give them?

[00:08:07] Mike Wilkes: Well, you got to go and talk to the keepers of lore, right? At ASCAP there was a lot of folks that had been working there for a very long time, double digits years. And that's incredible because they have so much knowledge. And I would go and gravitate towards talking with them and trying to understand what are the crown jewels? What are the things I need to protect? Let me not be assumptive. Let me ask. There are certain things that need to be preserved and people are aware of it, like I said, maybe tacitly, it's not explicit, it's not written down anywhere. So go talk to the person that's longest lived with the organization, ask them to tell you some stories, and figure out, like, ASCAP, for example, was founded back in the days of what's called serious music, AKA classical music. How does ASCAP now, in the year 2021, reconcile that heritage and the fact that they have expanded to include all kinds of forms of music? And so there's all sorts of edge cases, right? You talk about business logic, that's encoded into royalty distributions and all of this information. That's the stuff that you want to learn. You have to learn the business in order to understand how to protect the business.

[00:09:15] Mike Wilkes: And, so I think that alignment of InfoSec as becoming not just a road bump on the way to a production release for code. InfoSec really needs to understand the valuable assets, how to protect them, and where they are.

[00:09:27] Heraclitus

[00:09:27] Earl Crane: And so I wanted, you to share a couple stories about what have you found that works well in an organization? As you are building or maintaining a security program or other stories from the trenches of things that don't work particularly well? I'd like to kick this one off by quoting an ancient Greek philosopher and historian Hereclitis. He once said something along the lines of, you can never step into the same river twice. And so by this, I believe the world of cybersecurity and technology around us, it's like a river and it's constantly flowing and changing.

[00:10:02] Mike Wilkes: I think Heraclitus also meant to convey that it's us that is changing from day to day. Not only has COVID-19 really changed the attack surface of all of our companies and all of our organizations and supply chains, but the vulnerabilities have shifted and changed.

[00:10:16] SolarWinds

[00:10:16] Mike Wilkes: Certainly SolarWinds was something that was a bit of a wake-up call for supply chain attacks and how those can be expertly implemented and infect thousands and thousands of companies.

[00:10:25] Hackers

[00:10:25] Mike Wilkes: I think there are a lot of incredible rewards in InfoSec for people that are curious. And in my mind, I think of hackers often as being curious people. They're not all bad actors, some of us are just turning the doorknob to see if the door's locked. We're not there to steal or destroy what's on the other side of that door. And so I think I want to try to help the world not view hackers as a pejorative and as a negative.

[00:10:51] Mike Wilkes: There's a lot of good things happening in hacking. Hackathons or positive things. DIY, people fixing it, and certainly lockdown, a lot of people have been baking sourdough bread lately and sharing recipes. I think there's a lot of good things that can come from hacking, and learning new ways of using tools.

[00:11:07] Mike Wilkes: A clever turn of phrase I heard once was if you don't know three ways of abusing a tool, you don't know how to use it. And so you can think of hackers as just getting really good at abusing tools and finding new ways of using them.

[00:11:19] Earl Crane: Appreciate those three points. Let's peel the onion back a little bit. Do you have anything of, either where you've in your past, worked with people or maybe yourself where you've been able to empower people that are of that hacker mindset to use it for good?

[00:11:35] Hacking Story

[00:11:35] Earl Crane: One of them I like to tell is about when I was working for a company called Organic in San Francisco during the Dot Com rise and fall, and Starbucks was launching its first website in 1998. So I have the dubious honor, I think it's a good honor actually, of launching starbucks.com.

[00:11:51] Mike Wilkes: And what's interesting is Microsoft donated the hardware for the site so that they could brag and boast that it was running on Windows. I, of course, as the head of what would now be called dev ops team back then that built the site and supported it and maintained it and had my pager attached to it. I didn't want the site going down because it was running on IIS on a Windows machine.

[00:12:11] Mike Wilkes: And, so I actually decided to put an Apache web server in front of it. I reconfigured and recompiled the headers so that it would identify it with a header string as IIS. Because I didn't want anyone to know that I had set up a reverse proxy in front of the Microsoft sponsored Starbucks site. So you masqueraded your Apache server as an IIS server to support IIS.

[00:12:36] Mike Wilkes: Yeah. And now it's called deception, right? where the the script kiddies would be throwing the wrong exploits. And I had all this caching reverse proxying going on. So the backend Windows servers had a light time of it. But it was really fascinating to think that I had this instinct back then when I was just doing pure infrastructure, to mess things up. And to think outside the box, approach it. And the fact that I did this, and I didn't really ask permission, I just was like, well there's no way I'm going to get a good night's rest, because when we were doing load testing the servers just kept dying after 30 or 40 concurrent requests.

[00:13:06] Mike Wilkes: And even though we put three or four servers behind the load balancer, it still wasn't enough for what was going to be coming at it. And so, I think that finding novel ways, experimenting with architectures, certainly Amazon and infrastructure as code makes that a lot easier for people. They can put things together that turn into accidental pieces of wonder.

[00:13:24] Lessons For CISOs On Hacking And Experimenting

[00:13:24] Earl Crane: What are some lessons you could extract out from that, that you might give yourself as a CISO?

[00:13:28] Mike Wilkes: Yeah, I think maybe give everyone a sandbox. One of the things I remember hearing about when I hired someone who used to work at Yahoo was that they instantly gave every new employee in the technology group like five VMs, and they would just fire them up automatically and give it to them and let them play around. And they could have different application stacks, different code versions. Because a lot of times you're painting in a corner of the canvas, and you're doing something new, and you want to give people that freedom to experiment and to have something that's not production, right?

[00:13:58] Although chaos engineering is kind of a new trend these days, right? Where you release the Simian army, and you let it start randomly destroying your infrastructure. À la the whole Netflix manifesto. Now they call it security chaos engineering. There's a book that was just published this year with a couple of authors, I think it was Kelly Shortridge and Aaron, I forget Aaron's last name.

[00:14:16] Mike Wilkes: But what would be my advice coming into a new hire, would be, get your feet wet with a sandbox environment. Set up your own free tier on AWS, so you can do some experiments there. And then I would provision infrastructure for them to play around with. Because you really don't learn how things work just by studying, and getting a certificate. A lot of times the certificates are supposed to be a proxy for real experience, but nothing beats actually playing around with load balancers, EC2 instances, S3 buckets and, security groups.

[00:14:44] Advice For New CISOs Starting a Team

[00:14:44] Earl Crane: So let's pivot to the third point you brought here, is we need help in cybersecurity. What advice would you give to let's say a new CISO who's needing to build a team from scratch, facing the staffing shortages and needing to build a security team?

[00:15:01] This is the work I did at ASCAP. I was the first CISO there in 107 years history of the company.

[00:15:07] Earl Crane: It's a long time to go without a CISO.

[00:15:10] Mike Wilkes: Yeah. So I built the team up from scratch and one of the best things you can do is find those intrinsically motivated and interested security champions that are already in the organization and develop a dotted line. Have a one-on-one with a project manager who might want to become the InfoSec project manager. It's easier to grow talent than it is to buy it. These highly paid skill sets, people are changing jobs, and I think what the CISO tenure is like 18 months on average at the moment, for various reasons.

[00:15:41] Mike Wilkes: People have the right to change jobs. You don't want good interested talent to not have a career path. And sometimes that entails pulling someone in from the development team, or pulling someone in from project management. Because they're going to love it because they're getting some good bullets on their resume. And learning new tools. Try to find something that's kind of a discrete workload. A set of your work stream that doesn't require complete integration with the entire security program. Give that to one or two people to help run. Obviously there's going to be people on the IS team and support desk that might be interested in, have a talent for it.

[00:16:13] Mike Wilkes: But in terms of finding that intrinsic passion. The person has to be doing it for, because what's the opposite it's extrinsic, if they have extrinsic motivation that means they're just there for the paycheck, or they're there to gain some skills and then walk out the door and get a higher paycheck.

[00:16:28] Mike Wilkes: So you've got to try to find something in their character that is a real spark. And I don't care what that spark is. Some story that they could tell about their grandma having their identity stolen or something that got them into InfoSec. That's certainly a useful, searching mechanism.

[00:16:42] Mike Wilkes: Resumes are often just a list of lies. And, they've been modified by recruiters to match the job description. And so I would say I pay a lot less attention to what's on the resume these days than I used to. Because I would hire someone because they had all the right keywords, and they had all the right experience. And I like to think maybe there's two kinds of people in this space, qualified and certified, and I'm fairly heretical in this view that I believe that they didn't overlap that much.

[00:17:10] I don't want to go against the nature of certifications. But in general, I'm not against hiring someone that has zero certifications.

[00:17:16] And one of the things I find when I phone for candidates, when I'm hiring for a position, I ask a couple of intro questions.

[00:17:23] Mike Wilkes: The first question I ask is tell me the difference between TCP and UDP on a high level. And if they get that right, then I drill down and go further and figure out where their depth on the subject ends. But if they don't know the difference that UDP is a broadcast and TCP is handshake and confirmed.

[00:17:40] Mike Wilkes: I feel like you can't really do the job of security if you don't understand those basics. These are fundamentals that I look for, and I don't worry about people now knowing the answers to my first interview question by explaining it here. Because I can tell whether you really know it, you know, the answer to these questions.

[00:17:55] Earl Crane: I had an old boss that asked the same question. He asked me this one, he said, how many ports are on a system? And it would be on an IPv4 system. How many ports are in there? And you could either say, well I don't know, or you could say about 65,000, or you could say 65,535. Okay. 65,536. Now we talk port zero, or then we say 65,535 times two, because you got UDP and TCP. Right. And so as you build that, and so, he did the exact same thing and those are great, screening questions. I want to go back to something that you said though, finding someone who's intrinsically motivated.

[00:18:32] Earl Crane: I love that. I've been a real fan of finding those people who are diamonds in the rough that, on paper, they might get passed over. If you find someone like that, that also has that, as you said, intrinsic motivation, if you give them the opportunity to prove that and prove themselves, they will take it and run with it.

[00:18:52] Tips For Companies Looking To Improve Security

[00:18:52] Earl Crane: What, in your opinion, are the five things every company needs to know about tightening up its approach to data privacy, cybersecurity, the other security components we've even discussed?

[00:19:04] Number one, get on the agenda for the next board of directors meeting, and request to start an external security assessment if you already haven't done one last year, because everyone's posture has drastically changed over the last year.

[00:19:17] Mike Wilkes: And certainly work from home has increased, like we said, the attack surface and changed in multiple ways. For example, I told everyone that got sent home a printer during lockdown, also send them a shredder because that garbage can is going to be looked at these days by criminals that know that the garbage is an information rich source.

[00:19:35] Mike Wilkes: Number two, I would say, pick a framework against which your organization is going to measure risk. Most people pick NIST CSF, right? Because you don't have to really think about it that deeply, it's a really great starter framework, and you can track and measure your roadmap against that framework.

[00:19:52] Mike Wilkes: Because if you don't have some kind of scoring system, it's going to be difficult to show that you made progress. You want to show proactively, that you're spending time doing things. Because if you've done your job, it'll be a kind of uneventful year, right? You want to take credit for that, and you need some way to show it.

[00:20:06] Mike Wilkes: I also think that Security Scorecards letter grades are also a handy way to do that as well. Because you can score yourself, and you can score your vendors and understand their risk. Number three, I would say privacy engineering. I think of this as a new job description, actually, and the companies need to start staffing for. GDPR put it on everyone's map, right?

[00:20:23] Mike Wilkes: Design for privacy, privacy by design, data rights, subject rights, and the right to be forgotten. But I really believe that this privacy engineering job description is at the intersection of database engineering, application security, and the legal team. And so you really need to draw a team together from those three disciplines and start writing this into your cloud migration and your data flow and how you architect data. Number four, when you discuss the items that are on your corporate risk register, and of course, make sure you have such a thing. Cause the board minutes need to show that this item was added to the risk register and that the risk register was discussed, and this was taken off because it was mitigated. That is the daily due diligence of the board doing governance for cyber risk and security.

[00:21:07] Mike Wilkes: When you discuss that risk register, everyone has a non-trivial amount of vendor risk right now. And SolarWinds just exemplified, it was a perfect example of that. And so I think there's tons of news releases and disclosures that'll be rolling out the next year or longer, based on just that one And then number five, I think this self assessment of risk. It can't really continue at this leisurely pace of doing annual assessments, and we all think of this as due diligence and governance of third party risk. I think that we need to, like that Heraclitus river, we need to be measuring much more frequently. And if someone can afford to send out a questionnaire to their top tier zero or tier-one vendors once a year, how are they going to do that for 20,000 vendors? If you're a huge organization, right? Intel or Nike or other organizations that have thousands of vendors, how do you scale to this massive desire to have observability and understanding of changes in the risk posture? How that river of risk is changing every day.

[00:22:06] So to summarize, these were one, get on the agenda for the next board of directors. Two, pick a framework. Three, the role of privacy engineering. Four, build your corporate risk register. And five, that annual self-assessments can't continue as they are.

[00:22:21] Sign Off

[00:22:21] Earl Crane: Well, Mike, I really appreciate it. As a CISO, I have to say with great power comes great responsibility. So thank you so much for taking the time to share your wisdom.

Mike Wilkes: Excellent. Well, it was great speaking with you Earl and I look forward to the opportunity to speak again sometime, and we can do another set of questions.

[00:22:38] Earl Crane: I would love that, thank you, Mike.

[00:22:40] Mike Wilkes: Thank you.