In this episode of Securing the Digital Supply Chain Anirban Banerjee , CEO, and co-founder of Riscosity talks to Atif Yusuf and Ravi Gunturi, two well-known security leaders in the San Francisco Bay Area.

Full Transcript of the Episode

Anirban: Wonderful. Atif, welcome to the Riscosity session for Security Thought Leaders, and we’re very honored to have you on our very first episode for Riscosity’s life. Just for everybody, Atif Yusuf is at HP is one of the senior secretary leaders at HPE. Atif and I have known each other for quite some time. He was pivotal in helping me with my last product Onion ID when he was leading the secretary team at Baker Hughes GE, based in San Ramon. And Atif in his past has worked at large enterprise companies. He has advised various types of startups and different aspects of security. And with that, we’d like to welcome Atif Yusuf to our program.

Atif if you could just, I’m sure I did not do justice to your entire pantheon of experience that you have. But if you could just give us a quick overview on the spectrum of various security positions that you have held in different companies just for our viewers, that would be wonderful sir.

Atif Yusuf: Yeah, thank you Anirban, and thanks for inviting me and really excited to be here. Appreciate it. So, having been in the security industry for 20 plus years, I’ve worked at companies like Verizon, McKesson, GE, and HPE. So, I’ve held several roles and recently leadership positions and security operations, security in generating, compliance as well as the whole in our application security space as well. So, a very broad experience when it comes to information security and I’m happy to be here Anirban.

Anirban: Wonderful, wonderful, and thank you very much again. Atif, for this discussion, essentially, we would like to bank on your experience and help our viewers understand how you see the world, what are your thoughts about some interesting areas that are common to us. And the area that we want to focus today on is specifically vendor risk management managing the third-party supply chain for software. I know that you are very familiar with this area but just to kind of help people also get their first steps into this area. What is your perspective on what is the software supply chain?

Atif Yusuf: It’s a really interesting question and I don’t know maybe it’s hard to do justice to it in terms of what it really is. It’s a very large ecosystem and in today’s world, it’s very difficult. And I don’t know any team that can develop a product or any sort of meaningful software without having these partnerships, the ecosystem relying on open-source components and other things from other third parties. So, in my opinion, it’s something that we cannot live without, and it’s an essential part of overall product software development reality. So, we have to, basically, it’s something that we can’t avoid. So, in other words, as far as software supply chain is concerned, it’s about working with your third parties, your vendors, open-source software, all of the above share components as far as security is concerned. But as far as your software is concerned. But it is something that’s the reality.

It’s something that we have to work with, but we have to make sure as security professionals that we have to do the best we can to secure it. so, it’s again our job as security professionals is to enable the business in a secure way. So, if the business wants to use third-party components, open-source components, vendor software, yes, they should be able to use it. however, in secure manner as security professionals it really relies on, depends on us. It’s our responsibility to assess the risk to know what companies we’re partnering with, what components we’re using, what open source we’re using, right. At least have that visibility and know where does the risk lie. We don’t want this to be something that we don’t know about.

So, once about things and you have visibility then you can go and help secure those third parties and open-source components and other things that are used within the software supply chain. So, it’s a pretty broad topic and I don’t know if I did justice to it. But in a nutshell, at the end of the day, we are enabling the business in a secure fashion based on risk.

Anirban: Wonderful. Now I think that gives us a very good basis because not only did you answer the question of what is the software supply chain, but also the challenges that are in there. And the whole concept of why is it important, as you said from a business perspective, we need to understand the risk of doing business with these third parties. Because at the end of the day as a security leader, you are constantly trying to make sure the business has to move forward. It’s not that we’re trying to say no. We’re trying to say yes, but yes with the caveat that let’s understand what’s going on. So, that’s a perfect answer. Thank you very much. Thank you very much for that. And we’d also like to welcome our colleague Ravi Gunturi on this call. Ravi welcome.

Ravi Gunturi: Thank you, everyone. Thank you.

Anirban: Our pleasure to have you and just a quick background about Ravi that he is now part of the core security team at Capital One. Ravi has very broad experience in terms of operational roles as well as leadership roles, research roles, and so on and so forth. Ravi has had experience working in different types of companies from very large enterprises to startups to mid-market companies. So, his perspective on life as well as security software is very very varied. So, with that Ravi, welcome to the conversation over here. I’m sure again just like with Atif that if I could not do justice to your particular background but if you could give us like even 20 seconds on your particular companies that you’ve been through the roles that you’ve been through. So, that our viewers understand the perspective that you bring to the discussion here. That would be wonderful sir.

Ravi Gunturi: Sure, Anirban and thank you. So, my name is Ravi Gunturi. I’ve been in security particularly application security for almost 15 years now. And for the last 20, 30 years I’ve been working in various capacities starting from enterprise security architect to CA manager. During this time, we’ve been working at a major healthcare company out on the west coast starting from UCLA, Stanford Hospital, Children’s Hospital, and a big healthcare company called YQT very recently. So, I’ve worked at GES Mall, GE Island Gas, and right now, I’m at Capital One as their senior manager and one of their ISOs for all things CapitalOne.com.

Basically, my responsibility is to make sure that there are no security vulnerabilities on the CapitalOne.com. An authenticated space.

Anirban: Wonderful. Thank you for that Ravi. And with Atif, we were talking about some ideas about what is the software supply chain to help our viewers understand the basics of the whole concept of vendor risk management, the software supply chain, and so on and so forth. Since you’ve had a lot of experience in different types of companies. My question is that from a supply chain perspective what is your opinion on is this problem a pervasive one, and if it is a pervasive one how are different types of companies to date Trying to solve this problem.

Ravi Gunturi: It is a privacy problem, basically all the organizations that I’ve been working with so far, everybody has this issue. But so far organizations have been more reactive in their approach, it’s not more proactive. So, it’s always like, okay, there’s a vulnerability. I mean, once we get notified, that’s when go start looking for that. So, we are looking for a solution where it’s kind of more proactive, kind of sits in between the organization and the third-party kind of a thing and then shows us what could be the possibilities or what are some vulnerabilities that we are not thinking of to begin with. That would be, I mean that is something that would be very ideal.

Anirban: Wonderful. And that same thought process, oftentimes do you feel that sometimes teams especially the non-technical teams inside the company like Legal, HR, all these teams. They feel that they sometimes have a handle on the type of vendors or the number of vendors that the so-owned software service is working with. But in reality, oftentimes the first step of the problem is visibility that we don’t always know that from our website we’re actually talking 20 vendors, versus thinking that we’re talking only to two vendors. Is that a problem?

Ravi Gunturi: Yes, So, basically, I think most of the organizations, one of the issues is knowing what are all the different vendors. And basically, at a high level, it’s like, I can kind of break it down into three different things. Knowing what’s being used and managing the security risk of what’s being used, and then basically continuous monitoring of these different libraries or third-party integration so on and so forth. And whenever we’re talking about the third-party integration, basically, I think it starts with the procurement, the business reaching out with business reaching out to the security team with a use case saying, okay, this is the security use case. This is a use case and we want to bring in this funder into the organization.

They should be working very closely with both security from an architecture and a security risk standpoint to identify the risk with this third-party wonder. And also, with legal and compliance to understand kind of get the documentation in order. So, if there is ever a security breach. Basically, try to kind of figure out who gets to respond and basically what are each team’s responsibilities so to speak.

Anirban: That is very appropriate. Thank you for that. In that same way, Atif mentioned that one of the goals for the security team and leaders like you and Atif is essentially to make sure that we enable the business to go forward. So, Atif from your perspective today given that you have worked with lot of sea level folks who have asked you for your opinion and you advise them on various policies and strategies. What is the role for sea level to play in this vendor risk management area?

Atif Yusuf: Yes, that’s a good question and I think that it’s a role that the sea levels really should play in every aspect of an organization’s information security. And not just this however this becomes you know quite critical, because the fact that it’s you’re opening yourself to a huge risk area, right. So, this is not just your security hygiene, but also the security hygiene of people that you’re working with or doing business with connecting with sharing data with, right. So, the risk actually starts to multiply. And that becomes a little bit scary. So, the leadership really has to focus on this area as one of the critical items. And not only from a security perspective, but also from a risk and compliance perspective.

For example, if you’re doing business with the government and you may have specific Fed Ramp and other government requirements from a compliance perspective. You may be sharing HIPPA or PCI or GDPR type of data. Now these things and typically a lot of these things sit within organizations in the privacy and compliance sort of area. Maybe not be specific in the security area. So, sometimes sea levels might think that, oh okay, because this is compliance and privacy so maybe I don’t need to worry about too much. But that’s not true, because at the end of the day if in protecting our environment and the organization, we are responsible for it.

So, as a CSO, you’re still responsible for it, right. Whether this was not somebody else’s function or not. So, I think it really is the fiduciary responsibility of the sea levels to make sure that we, like Ravi said you know we don’t want this to be in an unknown, right. Unknown, unknown, where we don’t know, we don’t even know what risk we have. So, and in Security, we call that due diligence, so if we don’t do our due diligence in terms of, knowing the threat landscape, right, knowing the risk, understanding and having a catalog and visibility into vendors and third parties that we’re connecting with. We’re not doing due diligence and the next step would be to do care. 

Once you know about these risks, then you have to do something about them. You have to be able to manage your risk. And so, I think a comprehensive risk management program is needed for this particular area and I think it’s really critical for the whole organization. And obviously, I see that was what I have to should sponsor such a program.

Anirban: Perfect. And that makes perfect sense. Ravi, since, you’ve had very up close and personal experience with, contributing to codebases, from our previous interactions. Even at GE and other companies, you were actually very close to some of the codebases integrations with third parties, various types of IAS providers, and what not. Today, one of the common areas of concern is APIs. Because we are using those to exchange a bunch of data, As Atif also mentioned that we are transferring left and right PCI data, GDPR data, all these types of things that are there. What is your perspective on? What should companies look out for when they use APIs with these third-party vendors? What are some of the high-level 2 or 3 points that you would suggest that, hey if you’re using these APIs make sure XYZ is there?

Ravi Gunturi: Yep, that’s a very good question. So basically, I mean when we’re talking about third party third API, third-party integrations in most of the organizations, I mean this is very pervasive in the healthcare organization so to speak is, basically I mean when you’re talking, the very first time when you’re engaging with the third party you do your due diligence. Basically, you test the APIs out you make sure that you’re passing in the, I mean required data and make sure that the empires are properly set up and everything works in order. Once that is done people never go back and look at it again. So, there is no continuous monitoring aspect to it.

Anirban: Correct.

Ravi Gunturi: So, that is one of the big things that is missing. So, let’s say down the road like 6 I mean 5, I mean maybe 5, 6 months or a year down the road somebody adds a new field to that. There is no visibility to it. And at the same point at the same time, I mean let’s say if the vendor is on a very basic authentication some sort of basic authentication and they want to move to OR. So, the organization needs to invest some time into looking at all the possibilities in authentication basically how to secure the APIs so to speak. And adapt to the changing landscape.

Anirban: Correct. And in this, especially digging into your experience in the healthcare sector where you’ve bought up against HL7, HIPA, ISMS, QMS, all these various things that you’ve dipped your hands into and you’ve kind of held it close to your chest. All these things that are there, today, is there any concept of this constant looking out for things as you have mentioned, or is this next version of things that people should be looking out for which is still not codified in these standards as yet?

Ravi Gunturi: No, think I mean most of these healthcare organizations go for the security, some sort of security control implementations. Like high trust or one of the big things is high trust, and high trust talks about continuous monitoring. But when healthcare organizations implement these high trust controls, they are looking at continuous monitoring of infrastructure, not third-party integrations. So, that’s one of the biggest gaps there. So, when we say I mean continuous monitoring, it should be inclusive of everything within the organization, that the organization ever touches or the organization data ever I mean basically cross those boundaries. So, if it goes to the anthem or other third-party companies, I mean all the healthcare organizations should be looking at those touchpoints as one as part of their continuous monitoring process.

Anirban: Wonderful. And that brings up another question. I’ll switch to Atif because this kind of is kind of something that I remember is similar to Atif’s experience over there. Atif, one of the Typical questions that people oftentimes bring up is, well, why not just buy more cyber insurance? Why should we invest in this? What would be a good comeback to folks who think, hey, enough cyber insurance is just a to every problem in vendor risk management.

Atif Yusuf: Yeah, that’s a good question and people have been buying cyber insurance quite a bit recently with the ransomware and other things that are going on. So, I think that yes, there is definitely, ransom, sorry having cyber insurance is definitely something that I wouldn’t discourage somebody from having. However, I think that alone cannot, it is not the solution, right. So, I think it has to be a comprehensive solution that should include good security hygiene, good visibility, a good risk management program around our ecosystem. And then at the end of the day, if yes, we can also have cyber insurance that’s fine. But that can’t be the answer for everything. It is part of the solution but not the Answer and that’s not what us security professionals that’s not what we do, right. So, that’s we are here to protect the organization. We are here to you know manage our risk. And so, yes definitely use cyber insurance as part of the solution but not the whole solution.

Ravi Gunturi: Yep. I think on that note, that should be the last layer of defense.

Atif Yusuf: Yes.

Ravi Gunturi: Not the option.

Anirban: Yeah. Yes, absolutely.

Atif Yusuf: That’s exactly what I’m trying to say, Ravi. Thank you.

Ravi Gunturi: No problem. One of the things I mean I could add to that is especially in a healthcare setting. If you get attacked by ransomware or I mean yeah, cyber insurance is going to help you to pay out the ransomware and get back to business. But between the time the ransomware I mean the organism gets attacked with the ransomware, and by the time you pay the ransom, there is this window of time where you would miss data basically. I mean, let’s say if we’re talking about a hospital, the continuity of care is going to be potentially impacted. Because I mean let’s say the patient is in EMR I mean is in emergency and ransomware gets into the organization and all the systems are down. And the doctor is not able to treat the patient, because he doesn’t know the patient’s allergies. That’s a big thing.

So, I mean in a health care setting it makes a big difference. I think I mean you can kind of use the same scenario. I think I’m sure that other banks or all these other things will have very similar examples as well. But the healthcare sitting it’s a life and death issue at that point.

Atif Yusuf: That is a good point. That’s a really good point and not just, like you said financial data, right. Loss of business that for the time lapsed. So, it’s important that that’s not our first line of defense at all. So, yeah, I totally agree with you, Ravi.

Anirban: Yeah. And then this actually brings up a nice Segway to the next thing that we’ve all heard in the last 7 days. The only thing we have heard in a sense in the last 7 days is guessing Log 4J. So, this has taken over the world like crazy. And this speaks in a sense to the whole discussion that we are having that in our software stack do we know what building blocks are actually there? And had we had a Rosetta stone in place to say the moment I was told about Log 4J, I could have found out that in my code depository in this file on this line, here is the problem. My mean time to respond, exactly what is essentially Ravi was talking about that MTTR, the meantime to response would have been faster, where ransomware has hit.

I’m willing to pay the money one way or the other just let me get back on my feet but that response time is so critical. Any thoughts about this Log 4J exercise gentlemen, that came up?

Ravi Gunturi: Yeah, yeah, I mean.

Atif Yusuf: It has a, I’m sorry, go ahead, Ravi.

Ravi Gunturi: No, yeah, I, I mean, basically, it was a big thing actually. And with Log 4J, I think I was going to touch upon what Atif watching earlier too, is, I mean, it’s not just about identifying your direct dependencies, you need to identify transitive dependencies as well. If you’re using a third-party application and that third-party application uses Log 4J kind of open storage behind the scenes. You need to be able to Kind drill down and identify that application tool and then say, oh, what this application is also vulnerable because of Log 4J library. It’s just not your direct dependencies, it’s your transitive dependency as well that you need to identify.

Anirban: Yeah.

Ravi Gunturi: And if there is ever an application or security tool so to speak, that can crawl my infrastructure and then say, okay your direct basically your application is using Log 4J version 2.15, I mean between. So, on Log 4J basically, any application that has been using Log 4J version 2.X to 2.15. 2.14 has been, I mean was vulnerable and Apache released 2.15. And within a day, they found I mean they released another CBE for that and then 2.16.

Anirban: Yes.

Ravi Gunturi: So basically, I mean if there is a security tool that could easily identify all the applications that were using these sets of, these different versions of libraries. Either direct app Applications are in an indirect fashion where you’re using an application and that application is using Log 4J behind the scenes. And the only way you could do that is you crawl the entire source, I mean basically the OS file system.

Anirban: Exactly.

Ravi Gunturi: And then identify the libraries. And potentially put some contextual information around that saying okay I found this Log 4J in this path. So, I’m thinking that this, I mean this Log 4J library is attached to this particular Application, so this particular application could be vulnerable, so take a look at it.

Anirban: Correct, correct. Makes 100% sense. I mean this is critical. I mean Atif from your perspective when we talk about this Log 4J thing and Ravi brought up this like really interesting point that it is not just the direct dependency but the transitive dependency. So as a company, if I purchase a service or software, let’s say Riscosity as a company as an example, is selling a service that is installed on-premise for a customer. So, the product is running over there. The customer said my own code is free from issues from Log 4J. We never use Log 4J, that’s all good. But Mr. Riscosity, you should tell me or I should have an independent way of finding out that despite Riscosity telling me good, bad, ugly, I should be able to find out whether Riscosity is using Log 4G or not. And that is the best kind of attestation to say, I did my check, it came up thumbs up, I don’t care what actually tells me whether it’s good, bad, ugly. Any thoughts on that?

Atif Yusuf: Yeah, I mean, that’s the biggest challenge as Ravi said that. Everybody knows how to fix this thing, right?

Anirban: Yes.

Atif Yusuf: The big challenge is to find it, where is it, right.

Anirban: Correct.

Atif Yusuf: Nobody has a catalog of all the components. One of the good things that come out of President Biden’s, directive Run Information Security is really encouraging organizations to have an S-bomb to really catalog all the components. That’s one thing, the other thing is that if Riscosity is running in my environment, by the time if something goes wrong and if I’m going to call you and ask you, hey Anirban can you tell me if you have this vulnerability or not. I mean so now you’re going to go and look for it. I mean that’s a very critical time wasted, right.

Anirban: Correct.

Atif Yusuf: I don’t need to, at that time call you and ask you, and then you’re going to do this right. It has to be proactive. It can’t be reactive to really meantime to respond, right. Like you said before right to minimize that, right. And to be able to mitigate this, you really have to have a proactive approach, a good program, good visibility into which software components application you’re using. And you should know beforehand what vulnerabilities might lie in there. So, Mr. Riscosity I want to know now before something bad happens, what components you’re using and where you’re using. So, if I find out a vulnerability in that component that you’re using, I go fix it. I know it’s there.

Anirban: Correct, or at least even if we cannot fix it, we have a strategy for quarantining a survey or something that can help us.

Atif Yusuf: Somehow, come up with some sort of remediation, whether it’s patching it or doing it in our firewalls and network controls or whatever it is, right.

Anirban: Correct.

Atif Yusuf: But go and look for things when bad things happen. Yeah, that takes a long time. That’s really not a good strategy.

Anirban: Yeah exactly. Now gentlemen I have to say a big thank you to both of you. We’ve had a wonderful conversation, and thank you very much for providing examples from your life and from your experience. I think it when viewers view/hear this conversation, will help them understand and get context about why are the things that we are interested in and looking at important. What makes us passionate about these things. What are the challenges of this area? And to both of you, I would say a big thank you again. I know everybody is buying for a slice of your time on your calendars.

So, we really appreciate you spending your time with us. And with that, I will bid you a due and we will pause the recording for now. Have a wonderful Christmas and hopefully you get to quality time peacefully with your families. No annoying neighbors or relatives at that time, but thank you again, gentlemen. I really appreciate this.

Atif Yusuf: Thank you. Happy new year. It was a lot of fun. Appreciate it.

Anirban: Perfect.