Tom Kellermann's New Mission: Secure the CodeCybersecurity Veteran Focuses on Advising Government, Financial Sectors Tom Field (SecurityEditor) • September 29, 2022
Over his 23-year career in cybersecurity, Tom Kellermann has focused on policy, endpoints and even strategic investments. Now, in his new role as senior vice president of cyber strategy at Contrast Security, his mission is directed at protecting code security - particularly in the public and financial sectors.
Kellermann worries that the "digital transformation of corporate America is being hijacked" by attacks against software supply chains, software development, integration and delivery infrastructure. In his new role, he hopes to help keep these key business initiatives on track.
"There's too much trust placed in APIs and too much trust placed into development environments, which really necessitates continuous monitoring," Kellermann says. "One of the things I've always said is: 'Continuous monitoring must go beyond production and operational environments and extend into development.'"
In this video interview with Information Security Media Group, Kellermann discusses:
- His new mission at Contrast;
- How adversaries are targeting applications and APIs;
- How the Russia-Ukraine war has changed the threat landscape - and what to look out for in the months ahead.
Kellermann, senior vice president of cyber strategy at Contrast Security, is the former head of cybersecurity strategy at VMware, as well as the former CEO of Strategic Cyber Ventures. He served on the Commission on Cyber Security for the 44th president of the United States and was an adviser to the International Cyber Security Protection Alliance. When he served as chief cybersecurity officer for Trend Micro, he was responsible for analysis of emerging cybersecurity threats and relevant defensive technologies.
Tom Field: Hi, there. I'm Tom Field. I'm senior vice president of editorial with Information Security Media Group. Taking a look at the Q4 cybersecurity outlook, I am joined today by Tom Kellermann. He is the newly appointed senior vice president of cyber strategy with Contrast Security. Tom, always a pleasure to see you. Congratulations on your new role.
Tom Kellermann: Appreciate it, Tom.
Field: You recently joined Contrast Security about a month ago. What was the draw for you to this role? How would you describe the mission?
Kellermann: VMware is a fantastic company. Carbon Black was a fantastic experience. But I wanted to work for an organization that was on the cutting edge - cutting edge specific to how offense can inform defense. I saw a dramatic increase in application attacks and attacks against APIs, which adversaries have been using tile on top when I was at VMware, and I'm recognizing and appreciating, as you've heard me, say for a long while now that, essentially, the digital transformation of corporate America is being hijacked to attacks against the supply chains. These attacks are targeting not only software development, but integration and delivery infrastructure. Given that I was always someone who was amazed by the work of the pioneer of OWASP, Jeff Williams, I came across Contrast and spoke to Jeff and I realized that I wanted to be his right hand man, and help folks shift left of boom and allow themselves to defend in real time against application attacks.
Field: API isn't new endpoint, right?
Kellermann: That's a fact. It's nothing new for that matter. But I think there's too much trust placed in API's, and there's too much trust placed into development environments, which necessitate kind of continuous monitoring. One of the things I've always said is continuous monitoring must go beyond just production and operational environments, but extending the development.
Field: If we thought people lacked visibility into their endpoints, how about their APIs?
Kellermann: To say the least.
Field: Tom, what would you say you learned from your experience at Carbon Black, and then VMware after the acquisition.
Kellermann: Carbon Black was an amazing ride. I loved working for an organization that was singular, focused on one element of cybersecurity, and I love that and then I was blessed to be part of VMware through acquisition. But VMware had five priorities and cybersecurity being one of them. I needed to get back to that singular priority. But what was interesting about being a VMware, where they do take their own internal cybersecurity very seriously, and they have shown great commitment to things like the JCDC and others, is that the greatest concern for VMware, much like the greatest concern for most corporations should be the construct of island hopping, they didn't want their infrastructure to be used to attack their constituency in any way, shape, or form. One of the biggest challenges that they and many other corporations face is the whole construct of rugged code and, and meantime to remediation, is taking far too long. Because scanning is essentially ineffective and so, context has become paramount. I think it's important that for me, as someone who's been in cybersecurity for 23 years now, I need to be part of a more nimble, smaller organization from 40,000 to 450. It's my sweet spot. I need to be able to move and focus on my customers and help the organization grow. In my role here, it's specific to creating the strategy and operationalizing the strategy for both the financial sector and the government sectors globally, for Contrast Security.
Field: Maybe a smaller team, that's a huge mission.
Kellermann: It is a huge mystery, particularly when we have I would say three of the top five financial institutions, two of the top five telcos, three of the top five healthcare providers, two of the largest tech companies were being customers of ours, and we have an obligation to them to not only improve our capabilities, but to be their trusted advisor as they deal with an onslaught of application attacks and API attacks.
Field: We started this year 2022 under the shadow of Log4j, which sprung on us right before Christmas last year. And here we are today. What concerns you most about the state of code security, as we sit here on the cusp of Q4?
Kellermann: Scanning is ineffective. There is insufficient context, ground truth. Application security must be continuous at least from running from inside the application itself, which allows you to see vulnerabilities without guessing. You need to be able to see vulnerabilities in development and directly measure them against attacks in production. You must treat every vulnerability as a potential attack. Also the velocity of change requires that you discovered zero days in libraries and frameworks as well. You need to kind of conduct continuous monitoring across those environments. I think also we should be remiss to forget that we need to employ intelligence, runtime protection. It's an imperative to eliminate entire classes of attacks so that your developers can focus on what's important and be shielded from a classes of attacks, as described by OWASP for years that are still viable.
Field: We learned 10 months ago that most enterprises aren't prepared to do that. I don't think that they've gained great maturity overnight.
Kellermann: No, and there's this whole regime change that's occurring. Developers have become much more important and critical to organizations, whether they hire themselves or they outsource that development process. But we need to understand also that geopolitical tension has recent tipping point and more and more nation-states and cybercrime cartels understand the ubiquity, the interdependencies of developers and development at writ large. Which is why the last two years have been the years of the zero day, and which is why you're seeing more systemic attacks possible, like Log4j, which could have been prevented had you been able to protect in runtime.
Field: Geopolitical tension - Tom, right after the start of the year, Russia attacked Ukraine. What would you say we've learned about cybersecurity offense in wartime? It's first time we've seen it on such a stage.
Kellermann: It is and, it began January 13, where the DEV family of destructive payloads were unleashed against the world. As a result, you saw unprecedented information sharing by the Five Eyes, correspondingly through the JCDC to batten down the hatches and defend against these pernicious attacks, whether it's the disruptive payloads are being unleashed, or the new forms of botnets. They're being used as platforms to distribute those payloads. Just recently, Noberus, as discovered by Broadcom, was unleashed against the world. Quite interesting, purposely built in Rust, to go after critical infrastructure, using two different encryption algorithms on even four different encryption methodologies to obfuscate themselves, it's from defenders. At the same time, you saw the sabre-rattling by Mr. Putin, vis-à-vis the threat of using nuclear weapons. And we need to understand that every time we see that type of sabre-rattling, there's a direct cyber manifestation of that. Just yesterday the Ukrainian warning about attacks against critical infrastructure in the West, and then it's obvious that the Russians have sabotaged the gas pipeline to Europe within the last 36 hours. I think that we're going to see a dramatic escalation as Russia's gloves are off and whether or not they use a tactical nuke. They will attempt to use a tactical nuke in cyberspace is my perspective on this. We've been lucky. It's been great, unprecedented information, sharing tremendous leadership across the Five Eyes, both from the U.S. to the U.K., etc. But we need to keep our guard up.
Field: Is Russia who we thought they were?
Kellermann: I don't think they were expecting the level of coordination. I don't think they were expecting the implicit information sharing and the forward leaning defensive posture of NATO and the Five Eyes. I also think they underestimated the capacity of the Ukrainian cyber defenders to defend themselves to maintain resiliency against the attacks. I think they underestimated Cyber Command and her NATO allies' capabilities as it relates to disrupting their efforts, disrupting their forums, disrupting the ephemeral trust that exists between cybercrime cartels and cyber spies. Now that they've recognized that, I think they've learned to appreciate that and their OpSec is getting better. But still, we're not the ones launching destructive attacks against them. For that matter, perhaps, if a significant systemic destructive attack is successful against critical infrastructures in the U.S., Cyber Command should probably take its gloves off.
Field: We talked about offense. What have we learned from Ukraine and its cyber defenders?
Kellermann: Like I just said, they've been incredibly resilient. They've benefited dramatically from intelligence provided by NATO and the Five Eyes. They've done a great job of defense of in-depth, suppressing intrusions in real time, and putting pressure and pain on the operational security of the cyber warriors of Russia. That being said, they're short staffed or under siege. And they're operating in a war zone primarily. They can only hold up for so long, I would say, particularly when you're seeing much more cooperation and collaboration, and even distribution of traditional weaponry from China and Iran to Russia. It's inevitable that will correspond into cyberspace as well.
Field: We're 10 minutes into this conversation. I believe we haven't talked about ransomware yet, I don't think we've talked about China or software supply chain security. As we do head into this last quarter of 2022, what are the cyberthreats and the threat actors that give you the most concern?
Kellermann: The threat actors, specifically Sandworm, APT28, APT41. Most concerning to me is Sandworm and APT28. Sandworm because of their desire, and because of the historical precedents they've set with launching disruptive payloads and attacks. APT28 because of their desire and the nature in which they island hop and they could distribute destructive attacks from compromised environments, compromised applications, etc. APT41 because they're wicked good. They also appreciate island hopping and they may already be in systems, you got to root them out. In terms of attacks, I predict two phenomenon of concern, I think another untrusted deserialization vulnerability will be introduced to the world, which will have everyone essentially putting out a forest fire that's been set by whatever rogue nation state unleashed that arsonist, and then I think a major public cloud will be compromised, and as a result, a rogue nation-state will systemically island hop through that environment and deliver wiper payloads against the constituency of those environments.
Field: We've talked about code security. Where do you see our biggest defensive gaps?
Kellermann: I think there's too much emphasis on SBOMs. They're important, it's important to know what's in the code, I get it. But there is not enough import or focus on the capacity to intelligently provide runtime protection. Runtime protection is here to stay. Forget the issues with latency, particularly as it relates to .NET environments, Java environments, Node environments, etc. You need to appreciate that you can stop entire classes of attacks. If you want to solve for attacks, like untrusted deserialization, there's only one way to solve for that. In addition to that, I think I would just bring it back to continuous monitoring - continuous monitoring must be occurring in perpetuity in those development environments. We need to reduce MTTR - meantime to remediation. Right now, on average it's in the weeks, we need to get less than a week, at a minimum, hopefully and within 48 hours, because the velocity of change requires that you discover those zero days in both libraries and frameworks.
Field: Sounds like you're not a fan of nutritional labels when there's poison in the container.
Kellermann: It's important to have nutritional labels, but something must be done to it. But the vulnerability must be remediated. Don't just tell me it exists because you've included the ingredients.
Field: Tom, we're approaching the Biden midterm. I suppose you've heard that in Colorado. How would you say this administration has fared in prioritizing cybersecurity? They certainly garnered headlines.
Kellermann: Compared to previous administrations, I give them an A minus. I think there's fantastic leadership. I think there's still challenges with resources and specific authorities. But they've been fantastic. I tip my hat to their efforts. I just hope that they're given greater authority and greater resources to enhance the economic and national security of the U.S. and empower our allies to fight the fight with those four rogue nation states as we are dealing with a cyber insurgency.
Field: Now that's the second part of it. How do you counsel this administration to proceed in this next two years and I know you get that opportunity.
Kellermann: Allow the Cyber Command to proportionately take its gloves off in response to destructive cyberattacks or attacks against, under Geneva Accords, industries that will be rendered be off limits from attacks like health care, etc. empower the federal government to mandate and provide resources to state and local governments as it relates to their cybersecurity postures. When if there's a lack of resources lean in on follow the money and forfeiture, improving forfeiture laws and anti-money laundering laws to forfeit the virtual currencies associated with cybercrime, cyber espionage and child pornography and use those funds explicitly for critical infrastructure protection in the U.S. from cyberattack and then most importantly, do more, yes, challenge the industry more. Challenge the industry beyond SBOMs to instrument continuous application security testing, to instrument runtime protection in those things that they've developed that could become a systemic threat if compromised by these nation states.
Field: Tom, two years ago was SolarWinds at the holidays. Last year was Log4j. As you're watching us head toward this 2022 holiday season, what do you look out for?
Kellermann: Log4j part two, part three, it's inevitable that's going to occur any day. That type of attack is something that could be widely systemic and create systemic cascading effects across our infrastructure. But again, more to my point that I raised earlier, I have serious concerns about public cloud security, I have serious concerns about serverless security. I have serious concerns of what an adversary could do not just breaking into those types of environments, but misusing those environments, those platforms to attack their constituencies with destructive payloads. We need to pay close attention to that. We need to do much more in the area of serverless security, and we need much more in the area of anticipation of that type of attack that type of island hop from the cloud.
Field: How will you be spending your time between the financial services sector and the public sector?
Kellermann: I'm laser focused on developing the strategies for both sectors globally and how we will interact with the sectors, how we will assist those sectors, how we would share information with those sectors, not limited to just, go to market, but more importantly, with the regulator's or interactions where the standards bodies, also how we're supporting our clients in both of those sectors, how we're empowering them with visibility and ground truth. Newfangled means to protect themselves from a surge of application attacks and API attacks.
Field: Tom, pleasure to catch up and I look forward to seeing you again one day soon.
Kellermann: Thank you so much for having me.
Field: We've have been talking to Tom Kellermann. He is senior vice president of cyber strategy with Contrast Security. For Information Security Media Group. I'm Tom Field. Thank you for giving us your time and attention.