Skip to content

Computer Security Incident Management Requires Planning Ahead and Making Hard Calls

Jeremiah Grossman talks about computer security incident management and prevention.

A lot of things about cybersecurity aren’t easy. From evaluating the value of your digital assets to setting up security that’s not too much or too little, there’s a lot to it. The most challenging part is that you have to get it right 100% of the time to keep criminals out, but the criminals only have to get it right once to cause a huge problem. It’s pretty much a fact that you’re going to have an incident at some point. But planning ahead for computer security incident management can make it easier to deal with in the moment.


See A Lesson in Crisis Management with Jeremiah Grossman for a complete transcript of the Easy Prey podcast episode.

Jeremiah Grossman spent the last twenty-five years in cybersecurity. He is the founder of the cybersecurity companies WhiteHat Security and Bit Discovery, and he has worked with dozens of startups to find and fix cybersecurity problems. Now, he is the managing director of Grossman Ventures, a venture capital firm that invests in startups trying to solve big cybersecurity problems.

The First Big Computer Security Incident

Jeremiah got his introduction to computer security incidents came early in his career. When he was twenty-four years old, his business WhiteHat Security had been in business about two years. They had around twenty customers, most of which were big companies with recognizable names. Jeremiah had raised some money to start this company, but he had also put his life savings into building it, and it was doing really well. Their business was finding vulnerabilities in customers’ websites so the customers could fix them. Because of this, they had a lot of sensitive data on customers.

One day on his way in, Jeremiah got a call that there was a huge problem. On all of their Linux boxes was a ransom note. Someone had broken into one of WhiteHat’s jump boxes, gotten into their network, and gained access to all the vulnerability data, passwords, and code the company had. Then they hit WhiteHat with ransomware. Their devices didn’t work. If they didn’t pay the criminals $50,000, they would release all that data and tell the customers. It would put WhiteHat out of business.

What do you do in a situation like that? Jeremiah took a few moments to figure it out, and came to the conclusion that this might be the end of the company. But even if it was the end, he didn’t want to go out screwing over his customers.

Jeremiah’s Computer Security Incident Response

The first thing Jeremiah and his team did was backed up all their systems and data, then shut everything down. They burned DVDs of the data, because that’s the tech they had back then. Then they shipped each customer the DVDs with their data so that if that data was released, they could protect themselves.

Jeremiah quickly informed the investors of the situation. Then, as CEO of the company, he made some very uncomfortable phone calls to every customer. He explained the situation, what they knew, and what they were doing about it.

Jeremiah and his team were also talking to the FBI and trying to help them identify the criminal. As best as they could figure out, it was an Eastern European extortionist, but they couldn’t get much further than that. Eventually, with the clock running out, Jeremiah did the calculations and finally decided to pay the ransom.

With their systems unlocked, Jeremiah and the WhiteHat team went through every line of code and restored their system from scratch. It took weeks. But they didn’t lose a single customer. This taught Jeremiah a couple things. First, if you act with integrity and in the customers’ best interest and you keep the customer in the loop, they’ll stick with you. Second, he now had first-hand experience being a small business dealing with computer security incident response, and it gave him a better idea of how to handle it, both technically and socially.

Handling Computer Security Incidents

Jeremiah has seen computer security incident response handled in all sorts of ways during his time in the industry. A lot of companies these days want to downplay or minimize it. They do their best to not admit fault and to get distance from the incident.

Jeremiah didn’t take that approach with his company because he didn’t want that to be his last day in InfoSec. InfoSec is entrusted with the secrets of the world, so to speak – they need to act with integrity and their customers have to trust them. When Jeremiah made those hard calls to keep them informed, WhiteHat’s customers knew they were going to get hacked, but they also knew that he would keep them updated on anything that might affect them, even if it looked bad for WhiteHat. It’s a lesson Jeremiah took with him for the rest of his career. If he can get the bad news quickly, he can handle it.

Sounding the alarm early can help with computer security incident management.

The calls he had to make were embarrassing. And his customers were concerned because they took a chance on a startup. But nothing bad ended up happening to them. And in Jeremiah’s experience after that point, the companies that experienced major breaches tended to be the most secure ones. Or they tended to not know there was a breach at all. Cybercrime is impactful, but it’s possible to be a victim without knowing. Often it’s because computers are a black box. It’s behaving weirdly, and you wipe the hard drive and reset it – was it actually malware, or was something just corrupted? It’s hard to know.

Cybercrime, for as big and impactful as it is, it’s the only real crime … where the victim doesn’t know they’re a victim.

Jeremiah Grossman

Computer Security Solutions through Startups

Through Grossman Ventures, Jeremiah aims to help even more people solve cybersecurity problems and deal with computer security incident management. There are around 1,000 pre-IPO security companies in the ecosystem. Jeremiah’s investment fund talks to CISOs about the biggest problems they’re dealing with and works with cyber insurance carriers to learn about breach and claims data. They hone in on problems to deal with, then find or create companies to meet those needs.

Jeremiah’s approach is that he could start up another company and solve a single problem. But he wants to scale up. By investing in other companies, he can help drive the solution for dozens or hundreds of problems. With his extensive entrepreneurship experience, he can also coach aspiring startup founders to help refine their ideas and set them up for the beset chance of success.

The Three Steps of Solving Computer Security Problems

There are three primary parts to solving computer security problems. First, you need to identify problems worth solving. Ideally those are the ones that have the most impact, and often have lots of disagreement about the right solution. The issue with Jeremiah’s last company, Bit Discovery, is they were hoping to solve attack surface management. But companies don’t know what they have exposed on the internet. You can’t secure what you don’t know you have.

The next part of the equation is that no one wants to overspend or underspend on security. But the only way to avoid that is to know what assets you need to secure and their value to your business. The first two steps in security are to find each asset and value it. But figuring out the value of a digital asset is really hard. You can’t do digital risk management when you don’t know what your assets are or what they’re worth.

There is … no algorithm or model in the world that will help you appraise the value of a digital asset.

Jeremiah Grossman

The third part of the equation is that breaches will happen. At some more, more security will become prohibitively expensive. Cyber insurance carrier data shows that losses tend to correlate with the time an adversary is in the system. If you can detect them within a few days, you’re not going to suffer losses like you would if they were in your system for months. This is why Jeremiah likes computer security incident management solutions that emphasize fast detection and response. There’s nothing more frustrating than spending a lot of time trying to break into a system, finally getting in, and getting kicked off immediately. It can really discourage adversaries from attacking you.

Determining How Much Protection You Need

Of all of these steps, determining how much protection you actually need tends to be the hardest. Maybe you don’t need to protect certain assets as much as you think so you can spend more resources on a mission critical thing. Assets have different levels of value.

We do this in other places of our lives, too. If you put a big lock on your front door, how secure is it? No lock is going to stop someone from driving a truck through your door to get in. But if you’re more concerned about the person trying to kick your door down than the person willing to drive a truck into your house, a lock will do just fine. But if you have a large plate glass window right next to your door, a lock won’t stop someone from breaking the window to get in.

We do these kinds of ordinary risk-vs-cost balances all throughout our lives. When it comes to cybersecurity, the principle is similar. The world spends about $200 billion on cybersecurity products and services every year. JPMC, a huge bank, recently said in the New York Times that they spend between $200,000 and $250,000 a year on cybersecurity. But if you ask a competent red team how long it would take them to break into any company, you’d probably find that a team of four people could do it in a few days with $50,000. With those kind of numbers, you better be investing in computer security incident management as well as cybersecurity. If we can find an economic model to flip that script around, we’ll make progress.

Flipping the Economic Script

One of the reasons that so many people are freaking out about AI is that it’s a force multiplier. What would have once taken fifty people can now be done with one person and an appropriately-trained AI. There isn’t one overarching solution for this problem. But there are ways to flip the script.

Prevent computer security incidents by making it harder for criminals to automate their crimes.

For example, one recent company re-imagined CAPTCHA with a brand-new model. In the age of Google reCAPTCHA, an adversary can automate certain processes and defraud companies. With the re-imagined CAPTCHA, the automation no longer works. The criminals can still get through by having people click on buttons. But that increases the cost in time and manpower for them. If you can make a solution that can’t be automated, you make it harder and more expensive for criminals to do. Criminals are already mad about this new kind of CAPTCHA – and if the bad guys are upset, it’s working.

If you can make the solution just a little bit harder, where you have to solve it with humans … then you’ve increased [cybercriminals’] costs.

Jeremiah Grossman

This is an economic game. If we can raise the costs for adversaries, it becomes harder for them. Criminals aren’t going to do something that’s not in their best financial interest. If they have to spend $100 to steal $1 from you, we win that game. Of course, that doesn’t account for a nation-state actor who doesn’t care how much they spend because they’re targeting you specifically. It’s like the bear in the woods analogy, where you don’t have to outrun the bear, just the other hikers. That works just fine until the bear wants to eat you specifically.

Fast Detection is the Best Computer Security Incident Response

If a professional team of cybercriminals is coming after you, they win. Period. At that point, the best computer security incident management tool you have is fast detection and response. Detect them fast and get them out of your network fast. This makes it harder for them and limits your opportunity for loss.

If it’s a professional team going after you, they’re going to win. In that case, what choice do you have except fast detection and response?

Jeremiah Grossman

Jeremiah is a huge fan of a product called Canary, made by the company Thinkst, as an economical way to detect intruders. When an adversary breaks in, they start somewhere small. Once they’re in, they move laterally to find interesting things. Canaries are set up to look like a Windows domain controller and parked on your network. They don’t do anything, and you can set them up and forget them. But because they look like domain controllers, an adversary is going to scan them to see if they’re interesting. When scanned, Canaries send a signal. Your incident response team can see the signal, know it’s an intruder, and respond.

Twenty years ago, Jeremiah worked at Yahoo, and his job was basically to hack everything Yahoo had. They had 120 million users at the time, and they estimated 1%-2% of their user base was somehow malicious. That’s 1.2 million bad guys. Imagine being an army of twenty dealing with 1.2 million bad guys. You learn scale really well. Scale is going to be the great equalizer, or we’re going to become victims of scale. One of the benefits of AI in cybersecurity and computer security incident management is that it’s a brand new tool to help us with scale. And we certainly need the help.

Don’t Be Low-Hanging Fruit

Disaster will strike in some way. At some point, you will have to deal with a cybersecurity problem and do computer security incident management. You just don’t want it to be the end of you.

Turn on multi-factor authentication (MFA). That’s prevention. Patch all your systems, devices, and programs as best as you can. And have backups. Ideally, your backups should not be connected to the same network as everything else. Criminals like to encrypt backups if they can, because it increases their chances of getting paid. These three things – MFA, patching, and backups – will save 99% of businesses.

A vast majority of problems are preventable. But a lot of the problems are with scale. An average large company can have tens of thousands of hosts. Just keeping everything patched is a challenging matter. If you’re a smaller enterprise, it’s easier to patch and have MFA. Just take basic steps to protect yourself. Don’t be low-hanging fruit.

Most of the problems we deal with are preventable. We just have a scale and implementation problem.

Jeremiah Grossman

You can find Jeremiah Grossman on X, formerly Twitter, @jeremiahg, as well as on LinkedIn.

Related Articles

All
  • All
  • Easy Prey Podcast
  • General Topics
  • Home Computing
  • IP Addresses
  • Networking Basics: Learn How Networks Work
  • Online Privacy
  • Online Safety
  • Uncategorized
How to Spot Fake Emails.

How to Spot Fake Emails and Avoid Danger

The good news is that you don’t have to become a cybersecurity pro to protect yourself from...

[Read More]
Scrolling Adiction

The Brick Turns Off Distracting Apps, Makes Your Life Less Distracted

Here are some details. Brick is a combined software and hardware app that helps temporarily “remove” distracting...

[Read More]
Howard Goodman talks about cybersecurity and business.

Education and Communication are Key to Business Cybersecurity

The landscape of both technology and cyber threats is constantly changing. That means that cybersecurity and business…

[Read More]
Money Lender “Dave”

Money Lender “Dave” is In Hot Water with the FTC and DOJ. Scam or False Advertising?

Money-lender Dave does the one thing that all scammers do: It lied to its target through its...

[Read More]
Christiaan Brand talks about passkey security and why it's the future of authentication.

Passkey Security is the Future of Account Access

Phishing and account breaches have been a problem for years, and it’s not going away. In fact,…

[Read More]
Kelly Hood talks about the NIST Cybersecurity Framework and how it can help.

A Cybersecurity Framework for Protecting What Matters

The world of online threats is ever-changing. Sophisticated phishing, AI-powered attacks, and more are making it ever…

[Read More]