This week’s podcast is sponsored by Intel. In it, we speak with Intel’s Suzy Greenberg about a recent study Intel sponsored with the Ponemon Institute looking at the need for greater vendor transparency around cyber security. Suzy is a vice president at Intel and general manager of security communications and incident management in the Intel Product Assurance and Security group.
The compromise of firms such as SolarWinds and Accellion in recent months have made clear to everyone that the fate of your organization’s cyber security concerns doesn’t stop at the firewall. Indeed, as digital transformation takes hold across industries, the security of the software providers and third parties is now integral to the security and safety of pretty much every organization. Security teams, trained to monitor corporate perimeters and network traffic, now need to concern themselves with flaws buried deep in third party products and attacks that come wrapped as software updates.
But what does that increasing reliance and interdependence mean for the relationships between software providers and their customers, particularly around information about software flaws and vulnerabilities? Do software and service providers owe it to their customers to be fully transparent about flaws or weaknesses in their platforms even in advance of patches, or is the byword still “say nothing unless asked”?
Those are questions I put to our guest this week. Suzy Greenberg is a vice president at Intel and general manager of security communications and incident management in the Intel Product Assurance and Security group. Suzy leads the execution of Intel’s global security communications strategy as well as the company’s response to matters involving product assurance and security.
In this conversation, Suzy and I talk about a survey (PDF) the company conducted with the Ponemon Institute to measure attitudes about vendor transparency about security. Among the survey’s findings: 47% said that their technology provider does not provide transparency surrounding security updates and mitigations.
To start off, I asked Suzy about Intel’s Product Security Incident Response Team (PSIRT) and how the company that makes the chips that power modern technology manages its own product security challenges. You can check out the full podcast above or download the MP3.
(*) Disclosure: This podcast and blog post were sponsored by Intel. For more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations.
As always, you can check our full conversation in our latest Security Ledger podcast at Blubrry. You can also listen to it on iTunes and check us out on SoundCloud, Stitcher, Radio Public and more. Also: if you enjoy this podcast, consider signing up to receive it in your email. Just point your web browser to securityledger.com/subscribe to get notified whenever a new podcast is posted.
Episode 210 Transcript
[START OF RECORDING]
PAUL: This episode of The Security Ledger Podcast is sponsored by Intel. Intel is an industry leader creating world-changing technology that enables global progress and enriches lives. Inspired by Moore’s law, Intel continually works to advance the design and manufacturing of semiconductors to help address customers’ greatest challenges. By embedding intelligence in the Cloud, network, edge, and every kind of computing device, Intel unleashes the potential of data to transform business and society for the better. To learn more about Intel’s innovations, check them out at intel.com.
PAUL: Hello and welcome to The Security Ledger Podcast. I’m Paul Roberts, Editor in Chief at The Security Ledger. In this week’s episode of the podcast, number 210…
SUZY: I think we’re of the mind at Intel that it’s much better to be transparent and share the issues rather than to have a consumer assume that a product is safe just because nothing has been communicated about potential vulnerabilities. That’s a very risky venture.
PAUL: The compromise of firms such as SolarWinds and Accellion in recent months have made clear to everyone that your organization’s concerns about cyber-security don’t stop at the firewall. Indeed, as digital transformation takes hold across industries, the security of software providers and third parties is now integral to the security and safety of pretty much every organization. Security teams trained to monitor corporate perimeters and network traffic now need to concern themselves with flaws buried deep in third-party products and attacks that might come wrapped as software updates. But what does that increasing reliance and interdependence between customers and software providers mean, particularly when it comes to issues around software flaws and vulnerabilities? Do software and service providers owe it to their customers to be fully transparent about flaws or weaknesses in their platforms, even in advance of patches? Or is the byword among software providers still ‘say nothing unless asked’?
These are questions that I put to our guest this week. Suzy Greenberg is the vice president at Intel and a general manager of security communications and incident management at the Intel Product Assurance and Security Group. Suzy leads the execution of Intel’s global security communication strategy as well as the company’s response to matters involving product assurance and security. In this conversation, Suzy and I talk about the work that she does at Intel as well as about a survey that the company recently conducted along with the Ponemon Institute to measure attitudes about vendor transparency around security. Among the survey’s findings, 47% of those surveyed said that their technology provider doesn’t provide transparency surrounding security updates and mitigations. To start off, I asked Suzy about Intel’s Product Security Incident Response Team, their PSIRT, and also how a company that makes chips that power a great deal of modern technology manages its own product security challenges.
SUZY: Suzy Greenberg; vice president and general manager, Intel Corporation.
PAUL: Suzy, welcome to Security Ledger Podcast.
SUZY: Thanks, Paul. It’s great to be here.
PAUL: It’s great to have you. So, for folks who don’t know you or haven’t encountered you before, can you just talk a little bit about the role that you play at Intel? It’s a pretty big job you’ve got.
SUZY: Yeah, absolutely. I’m a vice president and general manager of security communications and incident response, what we call PSIRT at Intel, in our Product Assurance and Security Group. In this role, I really lead execution of our global security communication strategy and the way that we’re tracking and responding to matters involving security issues, coordinated vulnerability disclosure, and also our ecosystem engagements in this regard.
PAUL: Okay, so like I said, big job. Intel obviously makes products that end up in a lot of other products, right? I mean, that is — that’s just the nature of your business. So, if you could, just talk a little bit about the PSIRT function within the company and how it’s grown and evolved over the years.
SUZY: Our PSIRT is well-established. We’ve been in the industry working in this regard for about eighteen years now. We have a really robust way of working internally to ensure that we are tracking and mitigating the issues that either we’re finding internally through our own efforts of research as well as externally working with our research community and the bug bounty that we have in place that really encourages researchers to partner and work with us to mitigate these issues and communicate them to communities in a coordinated fashion, [00:05:00] ensuring that we have the right mitigation in place that when these issues come to light, the protections are there for our customers.
PAUL: So, it’s been a really interesting twelve months here with the covid pandemic and some huge forced transitions for organizations from employees working remotely and from home and all of the changes that that required. You’ve got a really interesting view there at Intel. What are your thoughts on what we saw in 2020 both in terms of threats and the demands that companies have had to meet to address covid and also keep themselves cyber-secure, I guess?
SUZY: Sure, yeah. No, that’s a great question. I saw an incredible stat where there was about a 300% increase in cyber-security crimes reported to the FBI since covid-19 started. That seems pretty staggering to me. It really has changed the way the entire workforce is engaged today. With covid-19, there’s a massive increase in the amount of data that’s shared, and it’s all dispersed. We are working from home, we are working from anywhere, and we’re using multiple devices. So, if anything, the pandemic has demonstrated that it’s incredibly essential for us to stay on top of security because the implications there, as you know, can be very significant. We’re seeing an incredible increase in spend on US dollars for critical infrastructure in this area. I think the number I recall seeing was about 106 billion dollars. There’s just a lot of bad actors out there, so we believe that the effort around transparency and the work that we’re doing in assurance around security can help everyone in the space be better prepared for the challenges that we’re facing in these new environments and those that we expect to encounter in the future as well.
PAUL: You’re listening to The Security Ledger Podcast. This episode of the podcast is sponsored by Intel. So, you talked about the work that you do at PSIRT and part of that obviously is the vulnerability disclosure on bug bounty programs and so on. Intel has actually done a study focusing on transparency and security assurance in technology decision-making. That kinda delves into some of the feelings and attitudes that customers have towards their own technology; vendors around issues like vulnerability disclosure and help with patching and stuff like that. Talk just a little bit about that study, what’s behind it, and some of the big takeaways that you guys have from the results of that.
SUZY: Yeah, absolutely. We recently partnered with Ponemon Institute to sponsor this study and at the root of this effort was really to better understand what is important to the industry and in turn communicate that out to share with the broader industry about what’s important and what’s needed. Then for us, Intel, we really wanted to focus on what we needed to deliver that customers want and need when it comes to ensuring trust with our partners and then just really bringing to light the features, the security, and the best practices for how to provide security assurance across the industry.
PAUL: One of the encouraging data points coming out of that Ponemon survey that you did is that there does seem to be pretty strong support amongst purchasers of technology, right? Companies that are more positively inclined towards companies that are — communicate openly about security vulnerabilities, both when they’re discovered, fixed, and so on rather than doing what I think companies often want to do which is sort of bury the bad news. I think 73% said they were more likely to purchase technologies from companies that were open and transparent about that.
SUZY: That’s right, Paul. At the end of the day, those IT decision-makers really value folks that are proactive and they want to know that they can trust the vendor, so the more you can communicate, the more proactive research and data that you can provide, the more the customer’s going to feel that sense of trust, right? We’ve really made it a ongoing commitment to take this seriously, to proactively identify and mitigate and disclose vulnerabilities in all of our products, and then also really closely work with external researchers to do the same. We talked about the bug bounty program, and those things really incentivize these researchers to foster a more collaborative environment in finding and mitigating those issues. We really try to share that best-known method [00:10:00] with more individuals and companies so that we can really lift all boats and make the industry as a whole much more strong when it comes to security.
PAUL: That said, the survey also revealed that almost half of the respondents said that their own technology providers don’t do a good job being transparent about security updates and mitigations. One question is, is that a misperception or does that seem like it’s, yeah, that’s kinda rooted in the fact that these are immature practices out there in the marketplace?
SUZY: I think that what it really comes down to is further education and helping folks understand that the vulnerabilities are there. If you aren’t finding vulnerabilities, it’s just that you aren’t looking hard enough. It really is a group industry effort to ensure that we’re all actively looking at these issues and that we are providing transparency so that we can shed a light on the problems at hand and bring in the right technical experts to help solve these bigger challenges and problems that we have. Just because we don’t find them doesn’t mean that they don’t exist, and I think that’s really a big takeaway. So, this number — I think that you’re right; it was a 47% — don’t provide this transparency. I think that there’s a little bit of potentially fear behind that. If we start to communicate these things, people will not be trusting of our products but until we really believe that, it’s quite the opposite, that the more transparent we can be, the more we can talk about the things that we’re finding and that we’re actively looking to mitigate and solve some of these problems is really going to lend that long-term trust and support of our products, the technologies, and the company as a whole.
PAUL: It seems also like it’s something that has increasing consequence for people because of course, we’re not just talking about enterprise technologies anymore; we’re also talking about a wide range of smart home and smart city and Internet of Things technologies that are really out and about in our physical lives, right?
SUZY: Absolutely, absolutely. Yeah, it’s a lucrative business, right, to exploit systems. It’s not just that interconnectivity; it’s also online finances and personal data. Just to riff on what’s going on in the world right now; a lot of folks are having to put out educational videos about not sharing your covid-19 vaccine card. I mean, oh my gosh, everyone, your birthday is on there. Get rid of that. It’s a matter of — I was reading an article the other day; it’s like a matter of minutes before folks are getting pinged that someone’s trying to open a new bank account or credit card with this information minutes after they’ve posted on Instagram. So, it’s just — there’s…
PAUL: It’s like, I know you’re excited, but just take a second. Look at that thing you’re about to post. Is there any sensitive information on there? Yeah.
SUZY: Yes, there is. Please don’t post your covid vaccine cards. Thank you.
PAUL: I think one of the other worrying statistics was — spoke to the resource and funding issue which is a huge percentage. 86% of the people who were polled in this survey — within organizations, within enterprise — said that their security budget where they worked was not adequate to support a strong security posture. This isn’t the first study that revealed that people feel like there isn’t enough investment in IT security. I guess, what do you think about that and how do we even measure that? Should it be a measure of percentage of IT spend? What is the right amount to spend on security and how do we — like you said, how do you lift all boats if there is such obviously widespread feeling of underinvestment?
SUZY: It’s a staggering amount. It’s not surprising to see that folks would like to see more investment in security infrastructure and in IT budgets. One of the other challenges though and what we’ve found is that the budgets really are dispersed to a point where it’s hard to be able to identify the actual real bucket of money, where the decisions are being made, and what are the priorities as well? Some of the budgets reside in IT. Some of the budgets reside with the CISO and in other organizations it can reside in the business units. So, that creates a challenge as well, right? Because you don’t have that visibility into the full bucket that you have of money to actually apply to these efforts. Then, the decision making process is also then dispersed amongst different people and so, you might not get a holistic approach in the way that you’re actually spending those dollars that you might have just a limited amount for, right? So, it’s hard to [00:15:00] efficiently do that as well because there’s no consistent or best-known practice for where the money should reside and how it should be spent.
PAUL: Right, and with web-based applications too, some of these could be provision from individual employees and expensed monthly. You have no idea really what is actually being used within your organization because it’s become so easy to just provision new services lickety-split.
SUZY: It’s hard to sometimes invest in something that isn’t a known threat or a real threat to you in that very moment, right? So, we have to talk a lot about the potential for what could happen. What are these scenarios that could play out that could just be devastating to a company? A lot of times, we live in a world where it’s like well, that didn’t happen or we were able to skate through that one, and it’s like, you don’t understand that on the back end there’s a lot of investment going on to really protect the customers, protect the company. But if we’re doing our job, none of those things are gonna come to light and you’re gonna think well, why did we need to invest so much here? I think that has happened.
PAUL: Kind of a victim of your own success in some ways.
SUZY: Yes, yes. Exactly, so it’s really educating folks on the investments today are intended to really help support those issues in the future where the cost to a company could be incredibly devastating. So, we need to think about that as well.
PAUL: Yeah. I mean, we see that with — obviously with ransomware and the SolarWinds incident and so on that the cost for going back — NotPetya costing hundreds of millions of dollars, billions of dollars for companies to recover from this attack, so yeah, the stakes are no longer just okay, we’re — we lost our e-mail server for a day, or — it can be an existential threat. What steps can vendors take to — given that transparency seems to be a plus and that company — that customers want their vendors to be more transparent and work openly around security; what steps can vendors take to get themselves on that path?
SUZY: So, I think there’s a number of things that can be done to really move this forward. Working in — as an industry is really critical in this regard. We are engaged with dozens of Tier 1 companies that we partner with and communicate with on a regular basis as part of our coordinated vulnerability efforts. That really is encouraging everyone to come together and to solve some of these hard problems that require great minds from a lot of different places.
Really, that ensures that we are working towards protecting data proactively rather than after the fact like we were just talking about, and then communicating as much as possible and really using that as a bridge to help build more trust with our customers and let them know that we are focused and intent on ensuring that we are finding these issues, as many as possible before they get out the door, but that we also are proactively working with that external research community as well so that when they find those things and we bring a light to them, that we are communicating that broadly and making folks feel like we have their backs and that we really have a proactive approach to these efforts and that it’s critical for us all to be engaged and involved. I think that’s really the key at the end of the day, is that this can’t just be a few folks that are trying to move this effort forward, that it requires everyone to have a singular focus on security and ensuring that we are communicating and working to mitigate these issues as quickly as possible.
PAUL: One of the things that has become more common in addition to bug bounty programs are ethical hacking; red teaming, that type of practice, and your survey with Ponemon showed pretty quite strong support for those types of initiatives, hiring people to sort of hack their own stuff. What’s your sense on how common that is in the marketplace these days for companies to fund those types of internal programs and in addition to funding them, maybe also making some of the findings of them available to customers or at least make customers aware that they’re doing this?
SUZY: We’re seeing a lot of those ethical hacking programs come up more and more across the industry. This is really a positive trend where this is becoming more of the norm not just in technology but in all communities and industries where folks are realizing that you don’t need to be a technology or security vendor to have a program like this, to critically look at your products and try to find things that need to be [00:20:00] mitigated or improved upon. Our bug bounty program is a part of that from a external perspective in working with CBD and the process there. That really does build that foundation for trust, that collaboration and being able to develop the mitigations and share those findings. That’s one of the things that we like to talk about when we go out and publicly disclose the number of things that we found in our own products within a given calendar year. I know you’re familiar and have had a chance to look at our 2020 product security report. But sharing that data and being able to communicate the number of vulnerabilities that were addressed as a direct result of our investment in security assurance and in ensuring that people understand that the CVEs that we’re publishing were found by internal Intel researchers. About half of the full vulnerabilities were that — from that number.
PAUL: Just to clarify, other companies might not publicly disclose those if they were discovered internally, right?
SUZY: Not many do, actually…
PAUL: Not many do, right.
SUZY: … today. No, no. We think this is really important and we want to be a role model from that perspective. So, that’s why the product security report is so important.
PAUL: Is there a place for legislation here to compel that? ‘Cause I’ll note, for example, I’m working on a story right now about some major agricultural equipment makers — won’t name names but there are only a few of them with hundreds of billions of dollars in sales, very diverse product catalogs who don’t have a single public CVE for any product. So, you’re left to wonder okay, just like we’re talking about, right? Are they finding plenty of CVEs internally and just fixing them and patching them but the product is secure, or is this evidence of just, we’re not paying that much attention to this because for whatever reason we still think of our products as mechanical machinery in a field that doesn’t need to be pen tested? You don’t know from — looking at it from the outside, you have no idea because you don’t know what’s going on internally. You’d think oh, these are multi-billion-dollar companies; they must have something. But, you know…
SUZY: Do they?
PAUL: Miller and [inaudible] and the Jeep Cherokee; you know? You’d be surprised sometimes, right?
SUZY: Right. All of that speculation, it’s hard to say because if it’s not being communicated, all we can do is just wonder what’s going on within those companies. You’re right; it spans a number of different industries. It’s not just a technology company problem or challenge. I think that it can create misperceptions for consumers and that’s dangerous as well. I think we’re of the mind at Intel that it’s much better to be transparent and share the issues rather than to have a consumer — I’m using air quotes — assume that a product is safe just because nothing has been communicated about potential vulnerabilities. That’s a very risky venture and one that we — we really don’t want to go down that path.
PAUL: Do you have success or does — has Intel had success in pushing some of these programs down? Because just because you — I don’t even know how many customers Intel has but I’m sure it’s bajillions of customers all through the marketplace from obviously huge corporations down to small companies making discrete little components. Is this something that Intel can kind of push down into the marketplace and evangelize or is it something where you need the heavy hand of government to come in and say if you’re making an internet-connected consumer electronics, then you need to meet these benchmarks in terms of cyber-security? You need to have a vulnerability disclosure program, you need to have a front door for the researchers to come to, and all the things that we talk about.
SUZY: There are a number of industry consortiums that we’re very actively involved in, especially NIST is a big one. That’s where we feel that bringing the community and the industry as a whole together and talking through these problems and bringing the industry experts that are actually living and breathing these problems every day is the most effective approach from our perspective simply because we understand the nuances. We, in some cases, understand that things may not necessarily be black and white, that putting a hard, fast timeline around the amount of time you have to fix an issue can be incredibly challenging for the researchers, for our engineers. So, there needs to be an industry effort to focus on these problems but then also in understanding that you sometimes don’t see from a government official who might be writing a bill for what they think we need [00:25:00] to be applying from a coordinated vulnerability disclosure, for example.
On the flip side, I’ve been incredibly impressed with the way that Intel really approaches sharing best-known methods and working really closely with the industry. I’ll use the PSIRT work as an example, that we have a number of instances I can point to where we’re working with other companies — in some cases competitors — to really help support them in standing up their PSIRT and to make sure that they have all of the pieces in place. Because at the end of the day, again, it’s really going to benefit us to be able to have that coordination, to have that partnership, to have that strong link to these other companies that have also stood up these PSIRTs and are doing all of the same steps, right? Because then we have that collaboration and we have those processes that are consistent across all these different companies. It all benefits the industry as a whole and that’s the really — the perspective that we take. I really appreciate that about Intel in this regard and I continue to foster it as part of the team that I run.
PAUL: I’ll share a happy story which is, Security Ledger a few months ago was among the websites that broke stories about exploitable vulnerabilities in these TCL smart television sets. That company kind of in response to those was like, you know, we really don’t have a security program and we see that this is a problem. Then I think just today they kind of unveiled their vulnerability disclosure program with some pretty…
PAUL: … yeah, pretty meaty rewards for security vulnerabilities, and a dedicated website and the whole bit. I was just talking with the researcher who had discovered the initial flaws and he was like yeah, this is pretty good; they definitely were listening and have responded which is encouraging.
SUZY: That’s fantastic. Yeah, and if we can get to other companies and help them understand the importance of investing in security and investing in these programs and these teams before something happens that gets written about in Security Ledger, then even better.
PAUL: It is always better to do it proactively than to do it in — with a reporter on the other line.
SUZY: Yes, yes, absolutely.
PAUL: I would strongly urge companies to not wait for me or somebody like me to call you. That’s not the position you want to be in. Hopefully we’ll get there but there are still a lot of companies waiting to hop on the clue train.
SUZY: We have a lot of work to do but…
PAUL: We do, yeah.
SUZY: … I’m very encouraged by the progress and just the receptiveness to hearing how we work and how these things can really strengthen your systems and the industry as well.
PAUL: Well, and some of this is cultural too, right? Technology companies have been dealing with security — independent security researchers for like, two decades, right? So if you’re Microsoft, this is not — you’ve been dealing with these characters for a long time and you’re used to it; or Intel.
SUZY: Right, but like what you just said, you used — I am not gonna use the word that you just said, the ‘c’ word right there, but there’s a lot of very interesting individuals that work in this industry and I think that there’s a hesitancy to try to — or want to engage with them. It needs to be quite the opposite; you need to bring them into the fold. They’re going to be finding these things regardless. It’s really in everyone’s best interest to find a way to work and engage with these communities.
PAUL: Right, and if you’re a company who’s been making a device, like a mechanical thing — I’m gonna use the example of agriculture before; a tractor. This is a new — the software piece of this and everything that goes along with it is relatively new to you. Maybe you’ve only made — had software be a big part — and maybe internet-connected software, internet-connected devices might only be five years old in your company, if that. So, your — you’ve kind of suddenly been introduced into this whole world of vulnerability researchers and 0-days and CVEs that is totally new for you as a company and that you may have plunged ahead with the features without really taking all that into account. So, I think culturally there’s that aspect to it as well that can be hard.
SUZY: Absolutely. Yep. No, I appreciate that it’s very daunting to proactively come out and talk about things that are wrong.
PAUL: Yeah, yeah, that are problems, yeah. You want to be like, you know, just leave us alone; we’ll fix it.
SUZY: Everything’s good.
PAUL: Everything’s good. Yeah, we’re doing great. You know that’s not true.
PAUL: Hey Suzy, this has been so great. I really enjoyed our conversation.
SUZY: Yeah, me too. Thank you so much, Paul. I appreciate it.
PAUL: Absolutely. Suzy Greenberg of Intel, thank you so much for coming on and speaking to us on [00:30:00] Security Ledger Podcast.
SUZY: Thanks, Paul.
PAUL: [MUSIC] Suzy Greenberg is the vice president at Intel and general manager of security communications and incident management in the Intel Product Assurance and Security Group. You’ve been listening to The Security Ledger Podcast. This episode of the podcast was sponsored by Intel. Intel is an industry leader creating world-changing technology that enables global progress and enriches lives. Inspired by Moore’s law, Intel continually works to advance the design and manufacturing of semiconductors to help address customers’ greatest challenges. By embedding intelligence in the Cloud, network, edge, and every kind of computing device, Intel unleashes the potential of data to transform business and society for the better. To learn more about Intel’s innovations, check them out at intel.com.
[END OF RECORDING]
Transcribed by www.leahtranscribes.com