S4 #10 Digital spinach: Why software updates and patches can't be ignored

[00:00:00] KRISTINA: Who likes frequent software updates and patches? Okay, maybe no one. The hard truth is the technical sins of omission can create costly or damaging consequences for users avoiding the updates and patches and anyone connected to their cyberspace.

[00:00:13] INTRO: Welcome to The Power of Digital Policy, a show that helps digital marketers, online communications directors, and others throughout the organization balance out risks and opportunities created by using digital channels. Here's your host, Kristina Podnar.

[00:00:30] KRISTINA: Today on the “Power of Digital Policy”, we're talking about the things none of us enjoy doing, but know that it's good security posture, patching and updating to ensure sound security in our digital operations, broader networks, and those connected to them, as well as anything good for us in the cyberspace, kind of like eating our spinach, if you will, with us is Mike Starr, CEO and founder of Trackd. Mike is a cross-functional leader and former NSA engineer with experience building and launching products in new and disruptive markets. He's built and led teams at Fortinet, OPAQ Networks, IronNet, and the NSA. Mike received his Bachelor's degree from SUNY Alfred and enjoys nerding out on wine and reading fantasy novels in his free time. Mike, welcome.

[00:01:12] MIKE: Thanks so much, Kristina. A pleasure to be here.

[00:01:15] KRISTINA: What is it like to work in cybersecurity these days? Do you feel like you're making everybody eat their spinach?

[00:01:22] MIKE: I wish. I think you know what, I think it's interesting, like, I don't think that it's been, it's not that different. I think it's the same as it's always been. It's fun, it's been challenging, if not a bit frustrating. But it's always a moving target, and maybe the pace is a little bit faster. Potentially, there's a bit more sensationalism, but fundamentally, I don't think working in cybersecurity has really changed all that much.

[00:01:45] KRISTINA: But it seems to me like the number of unpatched vulnerabilities, especially on corporate networks, continues to rise. I work with a lot of multinationals, it seemed to you like security teams and IT departments are giving up or what's the status right now out there?

[00:02:02] MIKE: I think, I think it could seem that way just that, you know, the numbers are going up and up and up. But, and, as a result of that, it's like there are more devices, there's more software being pushed. And so those numbers are going up. And what I think is that we haven't really given the teams that are responsible for dealing with these problems, the tools that they actually need fundamentally solving for these problems that are the source and as a result, like, as we deploy more things, there are more containers, right, it's easy to deploy thousands, tens of thousands of containers versus it's, really hard to deploy 10, 000 servers versus 10, 000 containers. And so you just see the number of things in enterprise exploding. And so you said, well, maybe people have just given up. They're not working. Or what I really think is that there's just been a lack of truly fundamental understanding and approach for what are the fundamental things that cause vulnerabilities to persist in certain environments.

[00:02:56] KRISTINA: As somebody who really hates patching, and I do every time a new patch comes out, I'm like, do I really have to patch? Is this a thing? And how long can I hold off on patching? And usually somebody from IT No, you really can't like you have to do this. Do we have to do that? And like, how can we even tell? Because as users, especially maybe some of the folks listening, the first thing they're thinking about is, how will this upset my operations, I don't want to have downtime.

[00:03:23] MIKE: Yeah, exactly right. Like, how is this going to break my shift, right? Like, how is this going to interrupt my life? The short answer is yes, you need to do it. There's, you know, the two reasons people update their stuff is because security makes them, because they're going to get potentially hacked. The other is there's some really interesting feature that they want to use. It almost never is the latter the case. But at the end of the day, less than 2 percent of patches are ever rolled back. And this is based on a private study we did early in Trackd founding. But the more interesting is that over 99 percent of successful breaches leverage the exploitation of vulnerabilities. Those vulnerabilities have been around for over a year, meaning patches have been around for over a year. So if you just took a view of let me patch all that's been around for a year, you would largely eliminate your cyber risk from a vulnerability exploitation point of view. And so if you can stay on top of just that, which isn't the case right now. But if you could just stay on top of your bones that are over a year old, you largely minimize your risk of exploitation.

[00:04:26] KRISTINA: Here's a trick question: patching or password updates?

[00:04:32] MIKE: I think the answer is really easy for me. It's patching. I'm biased because I run a patching company. But also, I think there's this big push towards passwordless, and I think that the whole concept is, is really intelligent, and it's also the same that we have at Trackd, like, you can't break into a window if you have no windows, you can't steal a bike if there's no bike and so, like, you can't, if passwords aren't a thing, then you can't get your password stolen and if there are no holes in your corporate enterprise because they're all patched up, well, then you can't, there's no, no way to get into a breach, right? There are no windows in a bank vault. And so, for me, that answer is pretty easy. It's get rid of your passwords and patch .

[00:05:11] KRISTINA: All right. You heard him say it. Just go out and get it done. So, are we coming to terms now with just having to live with a certain amount of risk and things like paying ransom or a certain amount of breaches? Because it seems like we've become a little bit immune to the fact that it's just a cost of doing business.

[00:05:39] MIKE: That's an interesting question. I hope not. I think that, you know, one of the things that causes a bit of maybe what seems like this maybe lack of motivation to do security things or eat our spinach is that there's operational risk associated with mitigating cyber risk, and unless you're responsible for that operational risk, you don't know about it or you don't care about it. Hopefully, you just don't know about it writing you're not so apathetic that you don't care about the people who actually have to do that work. But it's not always obvious how difficult it is to do, you know, a couple of patches during a maintenance window you already have. There's a significant or get rid of all your passwords, right? Like it's a lot of operational risk associated with the people who run the infrastructure that runs the IT. The interesting thing, like I, I hope the paying the ransom thing isn't just the thing that's happening. Paying the ransom legitimizes the attack factor. And so if companies never paid, then cyber bad actors wouldn't use ransomware. Now, it's really easy for me to say, well, just don't pay the ransom when I've not actually had to face that decision myself, right? I would like to say that if I were in that situation I wouldn't pay the ransom, but who knows, right? Like there's the person that has to, or the executive team that's making that decision has a, you know, it's a multifaceted, very difficult decision to make. And yeah, like the ideal is don't pay the ransom. And then ransomware just goes away. But that's not tenable.

[00:07:02] KRISTINA: Is there a level of coordination that matters for multinationals that maybe is different for organizations that operate just like one locale? I'm thinking about a lot of the folks who are listening. They are global corporations. Is there an acceptable level of sort of insecurity, if there is such a thing? Given that they are in different locales, is it okay to be less secure in one place than another? Or is it sort of like, eh, you know, if your back door is unlocked and your whole house is insecure like you said?

[00:07:37] MIKE: I mean, the answer is, like, everybody has a level of unsecurity. I don't know what corporation or what entity is the most secure, but they have some level of unsecurity, right? And I don't know what that is, but you can't operate In a completely secure environment, and this might be something like people like to talk about these air gap networks, and I have a pet peeve with these things where if it's not connected to the Internet, it's secure, which we know that's not true. There's plenty of air gap breaching malware; you can read about Stuxnet if you haven't read about that, that's probably the most, famous one, but I just think that the level of unsecurity, a company or multinational, whatever is willing to accept is it needs to be based on information, like a data-based decision that not only incorporates, it's the word that I'm looking for, like quantifiable data, but also qualitative data, like who is involved in mitigating your cyber risk, right? Maybe this, maybe you don't have enough people for a particular, maybe it's a zero-day, or maybe it's just routine vulnerability patching. Maybe the team is on holiday. And this is the case for a lot of European countries to America's jealousy; they have a lot of paid time off where we do not, and so they, they're empowered to take that, and they do. And so I think that just understanding what needs to be done? Like, what's the focus? What, like, what are the things that the business cares about? What are they trying to solve for and focusing on those things? Like, you're just, you just have to accept some amount of risk how risk tolerant the entities are, or even the entities within different nations or even different states or time zones or whatever. If you know what you're, what you need to solve for, and you're, you've clearly defined, these are the things that we'll accept as risk, then you're in a good spot, but to say there's some pinnacle of like pure like security. You're always like someone's 100 percent secure is a misnomer.

[00:09:32] KRISTINA: I was going to ask you who's the most secure that you've ever seen, but I guess we're not going to be talking about that today.

[00:09:39] MIKE: Yeah, I don't, I don't know. The most secure?

[00:09:42] KRISTINA: I mean, is there a gold standard? Because I always get asked that, right? People are like, hey, what's the gold standard for policy? So, thinking about what's the gold standard for you? Who would you give a gold star out to? Is there anybody?

[00:09:54] MIKE: I think this is a can of worms. I'm going to open up, there's a comment section on this. So we're going to open it for the flame bots. I don't know. I feel like, I feel like the vendors that try, all vendors are trying to do a good job, at least the major ones. Like you think of like, look at Microsoft and Google, maybe Apple, not so much. But Google and Microsoft are at least putting effort into describing the vulnerabilities that come out, patching them quickly, or providing patches that work with them quickly. And now this is just one biased view, like who knows what the internals look like. But from an outside perspective, as you see, like, oh, Microsoft's got the most vulnerabilities across all of all of NIST. Well, you said, well, they also have the biggest deployment of all of NIST, and in regard, like ratio regard to the other vendors, they're on power smaller. So. I think it's just really hard from an outsider looking in, and then for those companies that I've consulted with, I can't really talk about them. Yeah, I just... It's a really hard, it's a really hard question to answer, and I don't know that I can actually answer it.

[00:11:00] KRISTINA: That's all right. I'll put you on the spot next time. So your startup has a mission, I think I'm quoting you when you said you're basically in the business of revolutionizing vulnerability and patch management by focusing on the fundamental bottleneck for slow patching, fear of the unknown. How are you different? What's new?

[00:11:19] MIKE: You're right; there are hundreds of vendors in the space, and vulnerability and patch management has been so bad for so long that there it's even cropped up, created new markets because it's been so sh**tty. The biggest differentiator that track does is we're the only ones answering the only question that any operator truly cares about when going to patch. And the question is, will this break my sh**t? And I know this, I started tract as a result of me sitting on a data center floor, crossing my fingers, hoping that my internet routers would come back up, my BGP sessions would come back up, blah, blah, blah, just thinking like, man, if someone else if I knew someone else applied this, this patch and had the same traffic engineering rules that I did and blah, blah, blah, would I be able to patch more aggressively? And so that's the thesis that is born out of Trackd, and so like, people don't patch fundamentally because they don't know how it will impact their life, right? We don't patch because it's go something's going to happen. We don't patch because we don't know if anything is going to happen. And so, especially if you're an IT operator, like, not only do you have to patch, but you have to deal with coffee log laptops, and password resetting, account creations, and phone calls, and blah, blah, blah, blah, blah. And so patching is just one component of the thing that IT folks have to deal with. And then if you're a security person, all you care about is cyber risk, right? You most a lot of that is how many volumes do we have in our fleet? And so there's this kind of disjointedness between security and it teams, especially for this problem, because security can't typically remediate the vulnerabilities, but they're associated with, or they're responsible for tracking and reporting on progress. And then IT cares about everything but Cyber risk. All they care about is operational risk. And so these two things are at odds with one another. And so another component that makes us different is that we've built from the ground up a platform that it solves holistically for both security and IT needs. Again, security cares about cyber risk, IT cares about operational risk, and one without the other is worse than useless. It's the main reason that there's so much consternation between these two teams and why we haven't really made a lot of progress. And part of that is because vendors, you know, like to perpetuate this false dichotomy between these two teams because it's easier to sell into one group. But, this is like in the Trackd platform; when you log in, if your security, you see the things you care about, but it's in the context of the others. So you can start to form questions that are actually useful to or give you enough data to ask questions that are interesting and useful to the other party. And then the final thing is that we allow people to find and fix their vulnerabilities for free across any major operating system, and it will always be free to find and fix your bones in the track platform.

[00:13:54] KRISTINA: How does that work for organizations or folks not relying on their security or IT teams? For example, I work with several digital teams that are like, you know what? We're just not going to rely on our IT teams because we don't like them. They're not giving us the service we want. We're going to go out and procure SAS tools, or we're going to deal with folks that we want to bring in. Are your solutions intended for those users? Or is it mainly for folks who are in the business of hosting either in the cloud or on-prem their solutions?

[00:14:29] MIKE: So what I think you're asking is, can you support managed service providers, managed system security service providers, and so the answer is yes. The platform is built, and actually, quite a few nearly 20 percent of our active users today are MSPs and MSSPs, and so we don't have all of the normal quality-of-life features that most MSPs want from a truly pure channel sales or MSP play. But we do have a lot of them, and the platform has been very well received at and the indication of that is that they're willing to deal without these features that they typically demand. And so, yes, we've built a platform to allow for MSPs and MSSPs to run this for their clients. But also, if it's something that you have a dedicated IT team and a security team that do this in-house, we allow you to do that easily as well.

[00:15:17] KRISTINA: We're focusing so much on risk. I love the fact that we're talking about risk, right? It's like risk sells at the end of the day, but you know what? I mean, I always like talking about opportunity, right? That's what digital policy is all about. It's like the risk and the opportunity, and they balance each other out a lot of times. And certainly, it seems like, you're definitely looking at the opportunity, which is interesting, right? You have this one-of-a-kind patching offering, helping teams patch faster. Do you think that, just from an industry perspective, there's a movement towards consolidation in the cybersecurity tools market? Are we going to see consolidation? Is that a thing right now?

[00:15:53] MIKE: Yeah, it's, it's. If you look at my previous startup has come to called Opaque Networks. It was one of the original SASE vendors. You've probably heard of SASE. If you guys are listening to this, your listenership probably has heard of secure access service edge and SASE and all these kinds of things, but essentially it's the consolidation of high-performance networking and advanced security controls. And this is not, isn't the only place, right? And that was what, five years ago when that happened or, or just about and like it's unreasonable to expect for the current workership to maintain hundreds of tools, right? The average number of security tools in an organization is 76 because they just there's just so much stuff and there's a lot of sensationalism. There's a lot of focus on the new shiny thing. Hoping, just hoping that we can actually solve for this problem in a reasonable manner, and as a result, there's just so much sprawl that there's no way that you can reasonably expect people to manage and maintain tens of different networking devices and tens of different security tools. And so, as a result, the market has been forced to consolidate similar things, and one of the most obvious ones for anyone that's in vulnerability and patch management, we're going to have to fight tooth and nail, I think to make this happen. But the consolidation of vulnerability and patch management like these, like patch management, is one component of the vulnerability management cycle, but it's owned by two different things. And so I think in general I mean, we've been in a consolidated market for the last decade because we don't have the talent. We don't have enough talent to master hundreds of tools. So as a result, we have tools that are consolidated, like SD-WAN was pretty sassy, right? And SD-WAN just allowed you to manage and maintain all of your networking things. And it was just networking things, right? Think about switching and routing. These two things are massively complex in and of themselves. And so we've been consolidating and we'll continue to do that.

[00:17:46] KRISTINA: Obviously, we have I'm thinking about all the human factors. Right, and so you're talking about the consolidation like, yes, this is going to be so welcome for people who don't retire and get out of the business in the meantime, but I'm also thinking about this from the user perspective because I also feel like here, we are 2023. And we're still discussing breaches and training and more training for the user. And so, consolidation doesn't seem to be happening fast enough. And from the user perspective, we're still clicking the next, next, next screen and doing lots of training. Is there a way to speed this process up? It just seems like we should be getting smarter and faster.

[00:18:34] MIKE: Probably getting smarter. Don't know that we're getting faster. It's certainly getting faster at like churning out new tools with the assumption that a lack of technology is the fundamental reason for all the issues we have. What I think is really funny and, this is, you know, what training is rooted in, this is what Trackd thesis is rooted in, is that the fundamental cause for laggard patching or giving away your passwords or installing, malicious software isn't a lack of tech. It's some human condition in the space, in the vulnerability and patch management space. It's a fear of the unknown, right? I don't know if it's gonna break my sh**t for clicking a link it's maybe it seemed legit. Maybe I didn't have enough training. Maybe I didn't have whatever I think that like expecting perfect results out of an imperfect input is unreasonable. And so maybe technology has actually, certainly, technology has a part to play, but it's only once you've truly identified the fundamental reason for, the reason why people are doing the things they're doing. Can you apply technology to that problem? And I think we talked about this just earlier, like passwordless is a great example. You can't expect people not to get fooled. People get fooled all the time. And so if you provide a mechanism for which they cannot get fooled. Or even if they get fooled, they can't give away their thing. Like, think about like if, if you had a, your, wherever you are, and there are pickpockets, maybe you're in New York City and there's a bunch of pickpockets if you don't have pockets, then you can't get pickpocketed or, maybe your pockets are on the inside of your pants and city outside of your pants, right? Like something ridiculous. But, like, that's kind of the notion with innovation. So if you truly can understand what is the fundamental cause for this thing and then build around that, I think we'll make progress. But it doesn't seem like that's the motivation, right? The motivation is, and you know, it sounds like maybe a little out there, but if the motivation is only to squeeze more money out of your users, eventually they're going to get pissed off, and they're going to turn, and they're going to go to these other tools. And yeah, I think that my soapbox is truly understanding fundamentally what is the problem in all aspects, right? And all engineering, there's a lot of like engineering for engineering sake. To make you, whatever, to show off your engineering skills or whatever it is. But keep things simple. Try to understand fundamentally what the problem is and then solve that thing.

[00:21:01] KRISTINA: So obviously, AI is a topic du jour. Don't you think that AI is going to solve this problem necessarily?

[00:21:09] MIKE: Certainly not. I think that AI, like it's really interesting. Actually we published a blog about this or about to, but essentially the thought is like, Hey, Like AI is very like it's been sensationalized like it's there's a lot of fear uncertainty doubt around it and it's hard not to get sucked into it but I think that just like any other topic you approach the same or major business problem or whatever just approach it the same way, understand what is it why are we doing whatever we're doing. Think that AI has its applications and will be useful. We're certainly making strides and becoming more efficient, but I liken it to the advent of, like, Microsoft Excel. When Excel first came out, everyone said, Oh, it's gonna be the death of the CPA. It's gonna be death of the tax professionals. And it's not right. It's clear you still have to do your taxes every year, you still have an accountant. And what Excel allowed financial professionals to do is be more efficient, and do more with what they have. And I think that's what AI is, at least in this permutation; maybe Musk is right, and eventually things will get taken over, and it will be the doom day of Earth or whatever it is, but we're way far off from that. Especially with just relying on LLMs.

[00:22:18] KRISTINA: And we'll still probably need humans and cyber security, even in that context, right?

[00:22:23] MIKE: Who knows? Who knows? But for the foreseeable future Yeah, certainly, with just the algorithms that LLMs are built on, humans will be required in nearly everything still.

[00:22:36] KRISTINA: So, as we're all thinking about going to work tomorrow, having listened to you today, hopefully we're not overly pessimistic. Lots of good stuff is still ahead. What is the one thing you hope each of us will do differently in our daily jobs? What could we be doing right now in terms of security vulnerability patching that would help?

[00:23:06] MIKE: I don't think the answer is a technical one here. I think that in general, if people just were to stop and consider the people they're working with as other people and not objects or roadblocks that you have to bulldoze. There's just so much more that we could be able to do because there's and it's hard to actually do. It really is. And I get you. I don't feel this anymore with Trackd. We actually have a really good team. But in my previous roles, it's really hard to assume positive intent constantly and assume that you aren't the cause of whatever situation you're in. What I would implore people to do in everything that in everything, it's certainly where I've seen the most success, especially in security and getting projects pushed through, large entities like the NSA and small startups of 40 folks, or even ten like Trackd to treat people like people and assume positive intent and help consciously make an effort not to become a roadblock, but to become an accelerator. You can't not win. And that's how I approach every day and how I implore my team to approach every day. And so I'd implore you and all your listeners to do the same.

[00:24:21] KRISTINA: That's a wonderful ending note and great advice. Thanks so much, Mike, and I appreciate hanging out with us today. It's been great having you.

[00:24:30] OUTRO: Thank you for joining the Power of Digital Policy; to sign up for our newsletter, get access to policy checklists, detailed information on policies, and other helpful resources, head over to the power of digital policy.com. If you get a moment, please leave a review on iTunes to help your digital colleagues find out about the podcast.