ISMG Editors: Microsoft's Move to Expand Logging AccessAlso: ISMG's Healthcare Summit and Emerging Trends, Challenges, New Tech Anna Delaney (annamadeline) • July 21, 2023
In the latest weekly update, four editors at Information Security Media Group discuss important cybersecurity and privacy issues, including key takeaways from ISMG's recent Healthcare Summit, how the healthcare sector is embracing generative AI tools, and why Microsoft just decided to give all customers access to expanded logging capabilities.
The panelists - Anna Delaney, director, productions; Tom Field, senior vice president, editorial; Michael Novinson, managing editor, ISMG business; and Marianne Kolbasuk McGee, executive editor, HealthcareInfoSecurity - discussed:
- Highlights from ISMG's Healthcare Summit held this week in New York City;
- How the heatlthcare sector is strategizing for the consequences of generative AI and what future trends the sector can expect to see regarding medical device cyber regulations from the FDA;
- How Microsoft customers will gain access to expanded cloud logging capabilities at no additional cost just days after lower-level customers were unable to detect a Chinese cyberattack.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the Jul 7 edition on the virtual war between the U.S. and China and the Jul 14 edition on why the U.S. is behind on securing credit cards.
Anna Delaney: Thanks for joining us for the ISMG Editors' Panel. I'm Anna Delaney. And this is where ISMG editors meet on a weekly basis to reflect upon and analyse the top security news events and trends. I'm joined today by my brilliant colleagues, Tom Field, senior vice president of editorial, Marianne Kolbasuk McGee, executive editor for HealthcareInfoSecurity and Michael Novinson, managing editor for ISMG Business. Excellent to see you all.
Tom Field: Excellent to be back. Thanks for having me.
Marianne Kolbasuk McGee: Yeah, thanks.
Field: So Tom, I was saying wonderful colors on our screens today. So why don't you start us off because we got Barbie in the house. It's a Barbie world. You heard that right. Marianne and I were in New York this week, we had a healthcare security event in Times Square, and the view from our venue into Times Square was all about the promotion of the Barbie movie. So yes, it was the colors that attracted me. And I thought that's a virtual background to happen right there.
Delaney: Well done. Marriane, you're in New York, I suppose.
McGee: Yeah. Well, I didn't take this photo this week. Actually, my daughter took this a while ago and sent it to me. When I was planning for this morning's session, I was like, "Oh, God, I didn't take any photos."
Field: Super busy.
McGee: Went with my sister and her husband, I didn't have any skyline. So this was on my camera from a while back.
Delaney: Marianne, the ISMG Editors' Panel should always be on your mind. So remember, for next time. Michael, you're always bringing out the inner child in us. Where are you today?
Novinson: Yes, well, I have an outer child to take care of. So I am coming to you from Springfield, Massachusetts, at the Dr. Seuss Museum. Had a long weekend last weekend; did some camping up in the Adirondack, saw some extended family on the way home, pass through Western Massachusetts and had never taken my daughter to the Dr. Seuss Museum. So figured why not stop for an hour or two and spend some time there. Very fun museum, lots of things to play with. She enjoyed the Dr. Seuss books. She enjoyed reading, someone had beanbag chair. So good way to pass the time even if your kid is not quite old enough to read.
Delaney: Well, this week I present to you a beautiful scenic view from France, where I escaped to last week. And it was just lovely to catch my breath for a couple of days in these stunning surroundings.
Field: Smells and sounds and looks so exotic.
Delaney: It's alright. There's lots of Rose and great conversations and sunshine and water. So it was all right, back to reality. Well, Marianne and Tom, you are, of course, both fresh from New York having hosted and curated ISMG's U.S. Healthcare Summit and annual event. Marianne, maybe start with you. How did it go? What were the hot topics?
McGee: It went well. And I think our attendees were pretty well-engaged. One of the highlights, you know, this year, has been, sort of, in the past, is our medical device, panel discussion and on every year, Dr. Suzanne Schwartz very graciously agreed to present to our audience, you know, the latest regulatory efforts of the FDA. You know, this year, she went over a new refuse-to-accept policy. That is, it's already in effect and basically what happened was last December, as part of an omnibus funding bill, the FDA was granted expanded authority over medical device cybersecurity. So, you know, part of their new duties there at the FDA is to more closely vet new products that gets submitted to them, any sort of internet-connected device software, anything like that. And this new refuse-to-accept policy that went into effect in March basically allows the FDA to reject, you know, just send back from the get go any new device submissions that are lacking certain cybersecurity details, such as the manufacturer has planned for coordinated disclosure of vulnerabilities, software, build materials, you know, so on and so forth. So now, this policy went into effect in March, but right now the FDA is giving some hand holding, you know, so if a device maker submits their device, you know, application, is lacking some of the details for cyber that FDA is requiring. FDA will let them know, "Hey, you got to do this, you got to do that," and then you can resubmit it. But beginning on October 1, the hand holding will stop. So device makers have got to get their act together and know exactly what it is that the FDA will be expecting. And also before that happens on October 1, the FDA will issue final guidance for the pre-market of medical devices. And they had last April 2022, issued some draft guidance. So now this is going to be finalized and, you know, part of the responsibilities now, the FDA, with this new authority that Congress gave them is they have to, you know, regularly update these guidance materials. And then we had other government speakers at our event as well. We had someone from HHS OCR, you know, giving us an update on some of the HIPAA rulemaking that's going on, the trends that they're seeing with the breaches that are reported, you know, hacking incidents, ransomware, so on and so forth. And then our keynoter was deputy director, Nitin Nagarajan, who is the deputy director of CISA. And he actually, he has a background in healthcare. So he's had the perfect role for this keynote, because he's not just, you know, a security guy, but he knows healthcare very well, he was a paramedic at one point, but he gave us sort of, you know, the lay of the landscape there with the cyberthreats that are facing the healthcare sector. So it was well-rounded, like what in terms of the regulatory issues that everyone worries about in healthcare, because it's such a regulated industry, but then we also had, you know, CISOs, from the private healthcare entities. And you know, maybe Tom wants to talk about that.
Delaney: That was a great overview. Tom, anything to add?
Field: No, she covered it. I do actually. I want to emphasize the word Summit, because I think that really distinguishes what we do from other conferences. It's a smaller group, we were talking scores of people, not thousands of people, and the opportunity for people to have meaningful conversations. And I heard this from sponsors as well as attendees and speakers that they had the chance to really have meaningful conversations with one another, not lost in a bigger event such as HIMSS or RSA. So it underscores what we're doing. The topics are terrific, the speakers are excellent pedigree, as Marianne was pointing out, but they really get a chance beyond the stage to have conversations with one another and come away with some new ideas. So highlights for me; really enjoy the business email compromise interactive exercise that we did. We did it after lunch this time, we got groups together and we gave them a business email compromise scenario, and they had to answer some tough questions about how to respond, what one would do differently, when or if to involve law enforcement and responsibilities going forward. And we had this with the guidance of the local office of the FBI, led by supervisory special agent Michael DeNicola, he and I sat down and talked a little bit about BEC and some of the latest trends and some of the scary numbers of reported incidents. And then he and his agents went from table to table participating in this conversation afterwards, we brought some participants up on stage to share some of what they talked about understanding the phishing and business email compromise, and socially engineered schemes in general are big for the healthcare community. In particular, this was a vital exercise and I think everybody got a lot out of it. So kudos to Raquel Sanchez and the CyberEdBoard team for bringing this together. I think it's a terrific addition to the summit. Another session I want to call out, Marianne started hinting at it, was we had a couple of good talkative CISOs. We had John Frushour, the CISO of New York-Presbyterian and we had Anahi Santiago, the CISO of ChristianaCare. They sat down and had an open conversation with one another about one of Mr. Novinson's favorite topics, generative AI, and it was nice to hear them. It wasn't exactly point-counterpoint. But they covered the broad perspective of, "Okay, generative AI is in our enterprise. Now, what do we do about it? Do we block it? Do we put particular guardrails around it? What can we do to understand and address the risks as well as the potential of the tools that are available to us now?" Excellent conversation. I think we did come away with some good ideas for how to put appropriate guardrails around this and not just put blinders on and say we're going to block this and attempt to put unreasonable controls around the tools that are so broadly available. For me, one of the highlights of that entire session was afterwards when session ended, people left the stage. John Frushour, in particular, gathered quite a group around him. And our colleague, Raquel Sanchez, came up to me and pointed out this is what happens when you mentioned on stage you've got a $13 billion security budget.
Field: A bit, but a lot of this right now is just understanding what's available. Understanding how it's being used in the organization and realizing that you have got some of the most critical of critical data within your organization that's got to be protected appropriately, no matter how it's being used in the generative AI tools. I think that John from New York-Presbyterian has got some particularly progressive views on this. Marianne, perhaps we should have him on for a private conversation about what the organization is doing, and looking to do, going forward. But I came away encouraged that, you know, I've talked to a lot of people in financial services. And initially there was a big, "We've got to block this, we've got to put regulations around this, we've got to hold this down." And I didn't see that so much with our friends from healthcare. I think that that represents to some degree the maturity of the executives in these positions, but I also think it represents the difference of the conversation about generative AI in July 2023 versus January of 2023. Now, what really excites me is Michael and I are going to Blackhat in August, and I expect the conversations to be rich with details of how organizations are starting to harness these tools.
Delaney: Yeah, I can't wait. What about emerging trends or challenges? Were there any that came up? And as of right now, in July 2023? Marianne, as well?
Field: Yeah, Marianne, I'm going to defer you because beyond the use of generative AI and what organizations are trying to do to protect themselves from ransomware and socially engineered schemes, I didn't come away with much. That would tell me there's something there that we hadn't talked about prior.
McGee: Yeah, and I would agree, you know, I think everyone always is worried about what's coming that we don't know about or that we're not ready for. And, you know, again, the deputy director of CISA, you know, sort of emphasized how these ransomware attackers and DDoS attackers, for that matter, this year, in particular, they're going after all sorts of - it's not just the big guys, it's the little doctor practices and clinics, and you know, and then also, you know, pharmaceutical companies, but, you know, especially the smaller organizations are just not prepared to deal with things that we already know about, let alone things that we don't know about. So, you know - and one of the things that he was emphasizing is the importance of information sharing. And if you're not going to be sharing your own intelligence information, then you'd better be paying attention to what's out there that we can inform you about, you know, just stay on your toes.
Field: I will offer this. Theresa Lanowitz of AT&T shared a recent report that they had done on cybersecurity threat trends, industries in general, but some healthcare in particular. What do you think going around our little screen here, number one cybersecurity threat to healthcare might be these days. Michael?
Novinson: Put me on the spot here. I'm going to say ransomware.
Field: Okay. Anna?
Delaney: Medical devices, IoT poor security on those devices.
Field: Marianne, I think you're out of the room. You might not have caught this.
McGee: Okay, yeah. All right. That's why I said earlier, there was this big surge in DDoS attacks, I think it was in January. And it wasn't even because, you know, the attackers wanted to ransom. They just wanted to disrupt.
Field: So that was one of my takeaways.
Delaney: Did they say that that is due to Russia-Ukraine war, because we've seen lots of DDoS erupt from the war.
Field: DDoS has become so there's very low barrier to be able to launch a DDoS attack, often the ransomware attempts that Michael was talking about come with a DDOS component. So I think it's just become a weapon that is very easy to wield these days, and can have the disruptive results that the adversaries are looking for.
Delaney: And you've both hosted this summit for a few years now. So what encouraged you this time, compared to other years?
McGee: Well, I don't know about you, Tom, but again, you know, because I meet them, I go to some of these larger shows like HIMS, where there's thousands of people, but it's not all security, it's all sorts of IT. I think what impressed me with our Summit was because it's sort of a smaller sort of setting, people tend to be more honest, also on stage about, you know, their concerns and what they're doing, because there's just a small audience there and people are engaged.
Field: To give you an example, at Riverport, I was telling you about the Theresa Lanowitz of AT&T presented. The attendees are instantly challenging her on the makeup of the healthcare responding group, the number of the breakdown, you know, what did healthcare providers versus insurers have to say, they had good and tough questions. I think this is something you get. People don't bring canned presentations to our stages. And the attendees don't come in and feel like that they're separate from this. They're very engaged and eager to take the microphone or just stand up and ask good and tough questions. That's why we call these summits, we want that level of dialogue. That's what impressed me.
McGee: Yeah, they kind of remind me if you have a really favorite college professor or high school teacher, and the kids are really engaged with the conversation, that sort of the feel some of the sessions had that I thought.
Delaney: Yeah, wonderful to hear. I know that when we host healthcare roundtables, it does tend - they do attract a cerebral bunch. And they're great thinkers. So glad it was valuable. Sounds great. Well, Michael, moving on to your story. So following the news that Microsoft and U.S. officials confirmed a threat actor based in China had hacked the Outlook email accounts of U.S. government agencies and at least 25 European governments. Microsoft has now decided to give all customers access to expanded logging capabilities. So tell us more about what's behind this decision.
Novinson: Absolutely. And this has been a conversation for years and really, at its core, is a ethical, moral question of what security features and tools are public good. Obviously, these are provided by private sector organizations whose goal is profit maximization and a typical way of selling security capabilities is on a tiered basis that organizations can decide how much security do we want, and how much are we willing to pay. The federal government has been more muscular in recent years about saying that there are certain items that need to be on the threshold that are bundled in at no cost. One example in recent years has been multifactor authentication that Jen Easterly at CISA had been very clear that you can't have a tiered solution where it's, Okay, well, you get a username and password, and that's at the base level. And oh, you want a second factor that well, then you have to pay more for that second factor when we all know how important MFA is to security today. So in the case of Microsoft, they have some unique challenges, because they also are a technology provider. And I know with this secure by design, secure by default, that there's been a lot of pressure from the federal government for manufacturers to build security into their products, which is a unique situation Microsoft faces versus some of their pureplay security competitors. So can't be like, oh, we'll give you email for free. But oh, you want to secure your email, then you have to pay for that. So what we're dealing with here, this has been a years old issues around logging data. And this actually came up a lot after the SolarWinds attack where the Russian Foreign Intelligence Service took advantage of Microsoft's technology. They didn't compromise anyone through Microsoft, but they use Active Directory and Azure Active Directory to propagate themselves who move laterally and to expand their presence. And it was very difficult for victim organizations to see what had happened unless they had a premium level license. And Microsoft, Brad Smith, who's the president of Microsoft was in front of the Senate. He was in front of the house in February of 2021. And he got grilled by a whole lot of knowledgeable folks in the cybersecurity space. Jim Langevin of Rhode Island grilled him, Benny Thompson. And people were really upset that given that Microsoft's technologies, they can take advantage of that, the victims couldn't actually see what had happened to them unless they paid Microsoft a bunch of extra money beforehand. So let's fast forward to the present day here. So as you had said in the last week, we did have this campaign attributed to China, where Outlook emails compromised 25 organizations, including the State Department, the Commerce Department of Commerce Secretary Gina Raimondo, as well as some governments in Europe as well as some private sector organizations. And given how technically sophisticated the attack was, victim organizations couldn't actually see what was happening unless they had this premium level license, which is an E5 license in the private sector and G5 license for public sector organizations. So you had a system putting out guidance saying, like, look at these premium logs, but you could only do this if you have a premium license. Microsoft alerting U.S. cybersecurity vendors that hey, it looks like one of your customers has been compromised. But the managed service security service provider couldn't actually see any of that because they didn't have that license. And this has really been the straw that broke the camel's back, you have run right into Senator out of Oregon who's just been on hammering Microsoft on this. He's been for a while, but in particular in the wake of this. So yesterday, Microsoft finally capitulated, they said that they weren't going to include more logging capabilities with their G3, or their E3 standard level license. And to give you the details on detailed logs around email access, which would have been very helpful here, as well as 30 other types of log data, and that the default retention period on logs at the standard level is going to go from 90 to 180 days. So a useful first step. I think there's definitely still more that CISA wants to see from Microsoft. And there's definitely more that some of the folks in the private sector want to see. And it's not that they're throwing out. They're not getting rid of the tearing around logs, that if you you're still getting all kinds of goodies, if you pay for that E5, for that G5 license that you don't get at the E3 or the G3 level things are things like longer default retention periods, automatic support for important log data, and intelligent insights, which help determine the scope of potential compromise, that those features are still only available at the premium level. But I think the feeling is that from a visibility standpoint, they needed to step up the game for standard level Microsoft license holders.
Delaney: Yeah, that was really thorough, Michael, thank you. And I guess maybe it's the same for you, Tom, or whenever we host a roundtable on cloud, have discussions, transparency always comes up. And I always feel that security leaders are still not sure whether they trust cloud providers. So I think this is a good reminder that even the cloud is vulnerable.
Field: It's one of the drivers for multi-cloud environments is because the CISOs don't want to have all their eggs in a single provider's basket. It's a quandary because on one hand, they don't want to be tied to one particular vendor, but then they decry the lack of visibility across different vendor environments. So that's the state of cloud security today.
Delaney: And as you say, Michael, the premium service is not going away. But I think this is a good move.
Novinson: Yeah. And I think there's certainly a feeling that if Microsoft wouldn't do this voluntarily, that they're going to be forced into doing it, or at the very least, that there's going to be more congressional hearings where the executives are going to be subpoenaed and Congress people working to secure them. So I think there's a sense that either you take this action on your own or we might try to make you do this.
Delaney: Yeah, I really like the analogy of seatbelts and airbags. I mean, every car should have that regardless. Okay, well, finally, obviously sad news this week as we learned of the death of a hacker legend, Kevin Mitnick. And I think it has all come as a bit of a shock to us. So in his honor, I'd love to hear your favorite Mitnick story, memory moment, what comes to mind?
Field: You can't overstate the impact that he's had on our sector. And I understand that he committed crimes and spent time paying for those crimes. But I've come to know him more in recent years as the chief hacking officer of KnowBe4. And I know that his influence on cybersecurity education over the past decade or so has been immense. But I think that I'm going to credit him with much of what we understand about socially engineered schemes. That was where he made his fame, was in social engineering. And I think that so much of what happens today still goes back to basic, socially engineered schemes. And I'm reminded of a quote that he once offered us, which was that it is far easier to manipulate humans than it is technology. That was true. And he said, it is true today, it's going to be true forever. And it's something that we should pay attention to as we think about Kevin Mitnick and his impact on our field as for as much as we know, about socially engineered schemes, as much as we've learned, as much as he's taught us, there's still much more to pay attention to, because we're falling victim to these things every day. And that's something that he brought to our attention.
Delaney: Yeah, absolutely. I think his books are worth a reread. Michael?
Novinson: Trip down memory lane myself. I'd actually covered a keynote that he had delivered back in October of 2017. At a conference hosted by Continuum, there are remote monitoring and management vendors are now part of ConnectWise. And he was talking there about the need for organizations to move away from information security manuals that will read like the Las Vegas Penal Code. He was saying companies should have brokers with lots of images, less tax and that delve into specific topics like choosing a good password. And one of the quotes you'd have in the keynote was if it's boring and disinterested, nobody's going to read it. And it certainly, if there's one thing that's true about academics life, it was never boring.
McGee: I just say overall in general that he was able to turn his life around and starting sort of on the criminal side of hacking, and to not only make a positive impact on the sector, but you know, he built a brand new career helping other companies. So I think that's commendable.
Delaney: Yeah, absolutely. Being from the world's most wanted hacker to really important voice of the defender community. I really liked this story when he was 16, and he hacked into a McDonald's driving, where he pretended to be a McDonald's employee and taking customers' orders. There's a real playful attitude of hacking and curiosity and breaking systems. But I think what he's done has been very positive I think. FBI, yes, being the world's most wanted, but I think he taught us and lessons, indeed, and he said that anything out there is vulnerable to attack, given enough time and resources. So wise words.
Field: Over and over, all the best to his widow and to his unborn child.
Delaney: Brilliant mind and man. So thank you, everyone. This has been a lovely conversation. Thanks for your insight. Thank you so much. Until next time.