Most IT managers are familiar with the notion of a zero-day exploit or finding a new piece of malware or threat. But what is worse is not knowing when your company has been hacked for several months. That was the situation facing Jaya Baloo when she left her job as the chief information security officer (CISO) for Dutch mobile operator KPN and moved to Prague-based Avast. She literally walked into her first day on the job having to deal with a breach that had been active months earlier.

Baloo says there were several reasons why she first considered working for Avast, which makes a variety of anti-malware and VPN tools and has been in business for more than three decades. “When I interviewed with their senior management, I thought that we were very compatible and that I fit in with their culture,” she says. Baloo liked that Avast had a global customer reach and that she would be working for a security company.

But after she accepted her job offer during the summer, the IT staff found evidence in late September that their environment had been penetrated since May. The evidence pointed to a compromised credential for their internal virtual private network. Baloo’s first day at Avast was Oct. 1, and in the first three weeks on the job, she had numerous fires to put out. Baloo never thought making the move to Avast was going to be a challenge. “Before I got there, I thought the biggest downside was that it was going to get boring,” she says. “I thought this job was going to be a piece of cake.”

Several problems to solve

Fat chance of that. During those first weeks, Baloo quickly realized she had to solve several problems.

First was to figure out how the intrusion happened and what damage was done. As part of the investigation, she had to go back in time six months and examine every product update that was sent out to ensure that Avast’s customers weren’t infected. This also led to understanding what parts of the software supply chain were compromised. These things weren’t easy and took time to track down. They were hampered by having logs that were misleading or incomplete. Evidence also had been inadvertently deleted.

Second was to build up trust in her staff. During her interviews, Baloo was very hopeful. “I felt that I didn’t have to sell them on the need for security, since that was their focus and their main business,” she says. “I thought that they would be a source of security excellence.” To her surprise, Baloo found out that Avast was a typical software company, “with silos and tribes and different loyalties, just like everyone else.” As she began working there, she also had to climb a big learning curve: “I didn’t know whom to believe and who had the right information or who was just being a strong communicator.” The problem was not that Avast staffers were deliberately lying to her but that it took time to get perspective on the breach details and understand the ground truth of what happened during and after the breach. Some stories were harder to elicit because staffers weren’t used to Baloo’s methods.

Third was to develop a game plan to restore order and confidence, and to ensure the breach was fully contained. Baloo made several decisions to revoke and reissue certificates, to send out new product updates, and to begin the process of completely overhauling the company’s network and protective measures. Twenty days into the job, she posted a public update that described those steps.

In discussing her experience, Baloo reveals a series of tenets from her previous jobs as a security manager.

1. Doubt yourself continuously. First and foremost, avoid complacency and be paranoid about your capabilities. “You need to have a plan for widening your own field of view, security knowledge, and perspective,” Baloo says. “You have to include more potential threats and need to challenge yourself daily. If you don’t, everything is going to look normal.” Many security staffers have a tendency to pay more attention to their systems, she notes, and if a system isn’t complaining or issuing alerts, the staff thinks all is well. Complacency can be dangerous, because “you tend to hunt for things that you expect, and that means you are only going to find things you are looking for,” she says. Part of the issue is that you have to be on the lookout for the unexpected and push the envelope and have a plan for improving your own security knowledge and skills.
2. Trust people before systems. “We have a lot of faith invested in our systems but not necessarily in our people. That is the reverse of what it should be,” Baloo says. “We tend to focus in our comfort zone, and our zone is in tech and metrics.” But CISOs need to listen to their teams. “I like a team that can tell you when you are wrong, because that is how you learn and grow in the job and have a culture that you promote too—and above all to do it with a sense of humor.”
3. Build a functional security operations center (SOC), not just a stage set. “A SOC should support your people, not have 10,000 screens that are pretty to look at but that really say nothing,” she says. “The utility of a SOC is to be able to provide the subtle clues that something is wrong with your infrastructure. As an example, you may still have firewall rules that allow for malware to enter your network.” Whether you have your own SOC or outsource it, its capabilities should match what is going on across your network.
4. Suspect everything in your infrastructure. Trust nothing and scan everything. Baloo suggests starting with monitoring your oldest gear first, which is what Avast did after it found the breach. “Stop making excuses for this older equipment, and make sure you don’t take away the possibility that you need to fix something old. You can’t be afraid of scanning something because this aging system might go down. Do pen testing for real,” she says. Part of a good monitoring program is to do it periodically by default and make sure that all staff know what the IT department is monitoring. “The goal isn’t big brother-style monitoring but to find oddball user behavior and to make it visible. With cybersecurity, prayer is not an option.”
5. Do your own phishing awareness training, and do it often. While there are any number of awareness vendors that can help set up a solid program, the best situation is to craft your own. “You know your own environment best, and it isn’t hard to create believable emails that can be used as a learning moment with those users who end up clicking on the bait,” Baloo says. “Phishing awareness training is really a people problem and very hard to get significant improvement, because all it takes is one person to click on something malicious. [At KPN], we were always successful at getting people to click. For example, we sent out one email that said we were changing the corporate policy on free coffee and tea and had users enter their credentials for a survey.” Part of rolling your own awareness program is being up on the most important email authentication protocols, such as DMARC, DKIM, and SPF, so you can have confidence in your controls.
6. Set the appropriate level of security awareness for every specific job role. “You don’t want your entire company knowing everything about your complete security policy, just what is needed for them to do their jobs,” Baloo says. “And we should tell them how to do their jobs properly and not focus on what they are doing wrong, too.” As an example, she says the customer care department should understand the best practices on how to handle customer data.
7. Be as technical as possible. “I see a lot of CISOs that come from a higher-level risk management background and don’t take the time or have the skills to understand the details of how their security technology works,” Baloo says. “You shouldn’t be afraid to dive deeper.” She also sees CISOs that come from a regulatory background. Some of the biggest attacks, such as the one on Target, were compliant with regulations at the time. Compliance (such as with satisfying GDPR) has turned into a paper exercise rather than checking firewall rules or doing more technical checks. Instead, organizations get caught up in producing “compliance porn that gets sent to the board and then you get pwned,” she says. “Stuff gets lost in translation to management, and you need this technical background.”
8. Prioritize your risk intelligence. You have to know what to act on first; it is all about triage. “You fix someone with a heart attack before fixing a broken bone,” she says. This means matching risk with relevance. Part of this is doing a level of sanity checking with other organizations to see what they have included in their risk profiles. Don’t do the easy stuff first just because it is easy.
9. Don’t panic and destroy evidence. As Baloo found out during her response to the Avast attack, you need to understand that an infected PC can be useful in determining your response. “Every member of the enterprise needs to be part of your response,” she says. Part of this is being trained in how to preserve evidence properly.
10. Start with open source security tools first. “I am not a fan of building custom security software unless nothing like it exists on the market and it is absolutely necessary,” Baloo says. “And if you write your own tools, go the open source route and embrace it entirely: build it, make it available with peer review, and let someone else kick it. I have seen too many custom systems that never get updated.”

Random bits:

How do you align your security strategy to the NIST Cybersecurity Framework (Identify, Protect, Detect, Respond, and Recover)?

“My philosophy is aligned with NIST, but I’m more polytheistic in terms of standards. Customers and partners often want to see compliance with a standard like ISO or ISF. You have to make sure you’re compliant, but in honesty, compliance is not the right goal, Real security is. Standards help you set the minimum bar.” —Jaya Baloo, CISO, Avast

Can we get your perspective on zero trust models?

“Zero trust is a professionally paranoid CISO’s dream. It calls for robust implementation around the ideas of intrinsically hostile networks, least necessary privilege, microsegmentation, and contextual authentication. I think it’s a huge improvement on traditional perimeter-based security architectures.”—Jaya Baloo, CISO, Avast