 from theCUBE studios in Palo Alto and Boston. It's theCUBE, covering IBM Think. Brought to you by IBM. Hi everybody, welcome back to theCUBE's continuous coverage of IBM Think 2020, the digital version of IBM Think. Wendy Whitmore is here, she's the vice president of IBM X-Force, threat intelligence. Wendy, thanks for coming on. Thanks for having me, I'm excited to be here. Yeah, you're welcome, with a name like X-Force, I mean that is killer name. Tell us about X-Force, how are you protecting us? Yeah, we get a lot of interesting questions. So my team is responsible for a pretty wide range of things, they range from incident response. So when you think of data breaches, typically organizations will call an outside firm and we'll jump on a plane and respond to threats on site. Obviously right now we're jumping on a bit fewer planes but we still are helping our customers investigate data breaches and we are on site when needed. We also have a team of threat intelligence analysts and researchers who are experts in a wide range of fields from geopolitical issues to cyber related issues to industry specific. And then we've also got a team that does data breach simulations in a very immersive environment. We've got facilities in Cambridge, Massachusetts as well as within Europe. And now of course we're bringing all of those virtual as well. So really anything that helps our clients respond more effectively to a data breach is something that we do. So X-Force is traveling right now on empty planes I presume. We are as needed. So many clients have certainly shifted to where their whole environments are offsite and working remote as well. But we still have clients who are asking us to work on site and in those cases we have added in new protective gear to our go bags which are usually equipped with hard drives and disk imaging software and passports and now we have some additional equipment to bring as well. And that breach simulation that you talked about. So that's what like a penetration test or then similar type of activities? Yeah, great question. No, it's actually an immersive environment where we go in and actually simulate an entire breach for our clients. So everything from the initial attack, how they would do the data analytics to things like how do they respond to the press and inquiries from the press about the breach? How do they do media training? How do they work with their legal counsel? So it's really a comprehensive, immersive environment that simulates kind of the heart pounding that occurs when you actually respond to a data breach. Well, that's awesome. I mean, best practices in communications as well, maybe PR, I mean that is obviously maybe something that's often overlooked but something that you guys are applying best practice to. It's such a huge piece of it now, right? Our organizations are not always graded just on the breach itself, but more so on how they respond and how they communicate. The good news is in that scenario that you can communicate effectively about a breach and you can have something pretty negative that happens to your organization. But if you respond well and you communicate really effectively to your clients and to the public, we've seen time and again that those brands actually have no reputational damage. And if anything, their clients trust them even more moving forward. We were early on in reporting the, just trying to measure the budget impact of COVID-19 but we were early in reporting the work from home shift about 20% of the CIO organizations that we surveyed actually spending more or explaining to spend more. But many weren't prepared for this work from home. They had to really beef up and not just adding licenses of video collaboration software but the security for sure, VPN infrastructure, et cetera. So can you talk a little bit about how clients have responded, how you've helped them respond to that shift? How has the threat matrix changed? Well, so in terms of the attack surface, you mentioned there's a lot more people working from home, right? So what we've got is over 220 million people in the United States, over one billion people in India alone that are now working from home. So as you can imagine, that attack surface has really increased from an attacker perspective, right? And coupled with that is that since March 1st, we've already seen a 6,000% increase in coronavirus related spam. So you've now got this larger attack surface that organizations need to protect against and you've got an increase in threats and threat activity that is attacking them. So from that perspective, you know, pretty difficult for CIOs who are used to defending an environment that may be more on site and now have this really wide range of attack surface, certainly more difficult for them to respond to. The other thing that we've seen, so one of the things that's super critical in these types of situations is to have an incident response plan and to make sure that you're testing it. So in our work that we've done both with our incident response teams as well as with the teams that train clients and how to respond to breaches more effectively, we've seen that 76% of organizations don't actually have a consistently tested or applied incident response plan and one in four have no plan at all. So I will say that in terms of how we're working with clients, the first thing that any organization can do right now is actually have a plan and test it. So if you're starting from scratch, it's really as simple as putting words on paper, understanding how you're gonna get ahold of your critical team members, having a backup plan in place for communication strategies if your primary infrastructure goes offline. So making sure you know how to get ahold of your personnel. If you're more mature, then what we're really encouraging our clients to do is have a variety of scenarios that they're testing against and make sure that they're running through those. So a great one to practice right now would be a ransomware attack. In particular, how does your organization respond effectively to it? What do you do when you get the initial notification? Do you have critical and sensitive data that's backed up offline and not always connected to the network? If so, you're gonna be in a much better spot to effectively defend against those attacks and limit any of the negative impact to them. So a couple of things I want to follow up and so what I heard was you got more fragile work from home infrastructure and you've got somewhat well, significantly more vulnerable users. I've often said bad user behavior is going to trump good security infrastructure every time. So you've got many more opportunities for the bad guys to get in. And so I'm hearing that RET response is now more critical than ever. It's always been critical. I mean, the communication to the board has been, hey, chances are we're going to get infiltrated. We got to find it fast and it's really about response, incident response. We can build modes, we can build layers but we have to plan for that response. And so it sounds like that's something that maybe is heightened as a result of this COVID-19 crisis. Oh, it absolutely is. I think it's now more critical than ever. I think there's two approaches, right? So one of them would be improvising through chaos which we don't necessarily encourage, right? There's a difference between that and really managing through disruption. And that's what we're encouraging our clients to do is look at how we can create sustainable processes and procedures. You may have a very well-established team that does response but perhaps they haven't worked remotely before, right? So that means testing those procedures now taking them to a scenario where everyone is remote. What does that mean? It may mean that you need to capture less data over the network because perhaps you just don't have the bandwidth or the capacity to do it. We've certainly looked at how we do that. How do we answer questions that are critically needed from an investigative perspective, for example, but without maybe all the resources that we would prefer to have. So what we're really looking at is kind of shifting in the way that we've managed through these. And then you mentioned that users who maybe sometimes make bad decisions, right? We're all guilty of that because especially with that increase in spam there's also been an increase in nation-state actors who are now sending out new lures and new attempts to get access to environments that are related to coronavirus. So we've got cyber criminals, nation-state actors, everyone, and we're now at home looking to effectively defend. So some things that organizations can do with that would be ensuring that they have multi-factor authentication on all remotely accessible systems. So devices, applications, anything that can be accessed remotely should have multi-factor authentication. That will help limit some of the impact. As it relates to spam, organizations should really be making sure they've got good email spam filtering systems in place. And if they have the capability to send out some test emails to their employees they should do that, right? We are getting them, I will say, RCIO in their office does it at least once a week where I know I'm getting a very well-crafted email and I have to really think twice. And it's really made me think differently about opening my email and making sure that I'm doing some due diligence, right? To make sure I know where the email's coming from. One of the things we do is also any external email is labeled external. So that way if it's a lure that, you know, it appears to be it's coming from another employee but it's actually coming from an external email address. That's another way to help users make some good decisions and really limit your attack surface and reduce the threat. I think the points you're making here are very important because if you think about the work from home cadence it's a lot different. You know, it's not, you're not nine to five. I mean, no work's nine to five anyway. But your hours are different. You got, oftentimes you got children at home. You got dogs barking, kids are, you know crawling all over us on the video. And so oftentimes there's, of course we're frenzied at work but there's a different kind of frenzy. So you might not be as in tune. So you're basically saying, you know exercise that a little bit to get people, you know like a fire drill to really get them tuned to being sensitized to such fishing attack. Right. Well, if you think about this from the viewpoint of an attacker all those scenarios you mentioned, right? Where you have a global pandemic. So we're not just talking about a regional threat like a hurricane or a tornado. In a case of a pandemic or any of these type of situations people are more likely to be reading the news be probably checking social media more often so that they can get an understanding of the latest news and information that may impact them. Right. So if you're an attacker you've got now this kind of environment of global chaos that's been created and you can use it to your advantage because the reality is as long as there's money to be made attackers are going to want to take advantage of that scenario. So what we're really talking about is as you're reading your work email as you're checking your personal email taking a step back slowing things down amidst all the distractions, right? The barking dogs and coworkers now that may be at your house also known as children, right? So we need to really take a step back and make sure that we are slowing things down reading and doing due diligence in opening emails that will help all of the CIO and CISO type organizations more effectively protect their organizations and their clients as well. When you talked about ransomware earlier and I inferred from your comments that, you know, best practice create an air gap but I'm wondering also can analytics play a role there just in terms of identifying anomalous behavior? What else can I do to protect myself from ransomware? Yeah, great question. So on the visibility side which I think is what you're talking about, right? How do we detect these types of attacks? There's lots of great software out there typically what we would want our visibility at the endpoints. So usually some sort of EDR tool which is an endpoint detection response tool that's going to allow us to, you know capture things like in the old days we would talk about antivirus software, right? And now you really have kind of next generation of antivirus software which also gives you behavioral analytics and actions on the keyboard. We want to be able to detect that in any size environment. So the more visibility we have into that the better but aside from just adopting new technology potentially there are best practices steps that we can take. And I mentioned earlier about making sure that you understand what is your most critical and sensitive data and that you've got it backed up. And a lot of times we go into environments and they say, well, yeah, we have backups this is great but what they're not realizing is that oftentimes those backups are connected to the network at all times. And in the case of a ransomware breach you typically then will see those backups corrupted as well and organizations will find themselves in a position where they say, well, we don't have any valid backups now that we can restore from in order to make sure that we have a safe environment. And so it's important that organizations understand and do a survey of what is their most critical and sensitive data and then make sure that's backed up offline. And I say that because it's not usually viable for organizations to have all of their data backed up offline, right? That costs a lot of money, that requires a lot of storage but to really look at prioritizing their environment their data within it and making sure that they can have access to that which is needed. And then ultimately that's going to prevent you even needing to have the conversation about ransomware because you still have access to that data. Okay, Wendy, I think you're making some really important points there that the tech obviously is critical. People are shifting to SD-WAN, securing endpoints, securing gateways, but really the processes are very, very important. And I'll just throw out an example. If I'm making a snapshot to the cloud, I'm not backed up. You better make sure that you understand how to recover from that backup because just that copy is not a backup. You need the proper type of recovery software and you need to test that, your thoughts on that. Yeah, that's absolutely true. So what we want to make sure is that during the course of a potential ransomware attack, right? That the most critical sensitive data is available offline. So I mentioned earlier that testing is one of the best things that we're recommending, right? One of the most effective preparations is having an incident response plan, testing it for particular scenarios. And so in this case, one of the other things that we talk about a lot is limiting the impact of a breach, right? Every organization is going to get attacked, especially in today's day and age where you've got a larger attack surface. The win is really limiting the impact of that attack and limiting the cost. And having an incident response plan and having a team of people, whether they're internal or external that are responsible for responding to attacks is the number one cost management, right? The number one decrease in cost is having access to that team. Typically it will save an organization over a million dollars when the average cost of a data breach is about $4 million. So that's pretty significant. And ultimately if we can test, as you mentioned, those backups that they are available in an offline scenario for the course of one of those IR program plans or tests, that's great. It's a win for the organization. They can ensure that that data is going to be available and it really helps them exercise that muscle memory in advance of an actual attack. Yeah, that's all. I mean, the backup corpus actually becomes a really even more important component now. This has been great information. Where can people go specifically as it relates to COVID-19? I mean, I want to go look up a checklist to make sure I've been scrambling to get my home workers up and running, get them productive. But boy, I really want to focus now on the things that I should be doing to button up my organization. Where can I go to learn more about this? Yeah, so there's so much great information out there, right? From everyone in the industry, but IBM is clearly no different. So what we've done is actually repurposed the IBM.com homepage where we've got a tremendous amount of information on COVID-19 and then IBMsecurity.com as well. Our team that focuses on breach response has in particular a site called X-Force Exchange where we're sharing indicators and we have a particular component that's related to COVID-19 specifically. And then lastly, we've got a free service which is a threat intelligence enclave that we are hosting with our partner TrueStar that is specific to COVID-19 where industry organizations can sign up and then share in real time threat indicators related to this and have really that intelligence that's been also qualified by their peers and many large organizations are using that to defend their environment. So a lot of great resources out there. Wendy, you're an amazing source of knowledge. Thanks so much for coming on theCUBE but thanks to the X-Force team, doing some travel when necessary and helping people really get a handle on this and this crazy crisis time. So thank you very much, I really appreciate it. You're welcome and certainly stay safe and thanks for having me on. Back at you. And thank you everybody. This is Dave Vellante for theCUBE. You're watching our continuous coverage of IBM Think 2020 Digital Think. Right back, right after this short break.