A Conversation with Carolina Terrazas: Gaming Your Security Strategy
Mike talks with Cisco cybersecurity specialist (and avid gamer) Carolina Terrazas about how she helps CISOs prioritize their security spend using game theory.
Welcome to In Scope, the healthcare security podcast. In each episode, we bring you insightful interviews, informative technical tips, and a unique point of view on the challenges facing the ever-changing healthcare ecosystem with host, Mike Murray.
In this episode of In Scope, the healthcare security podcast, host Mike Murray interviews Carolina Terrazas. Mike and Lina have been friends for some time, though up until this point, their friendship has been mainly virtual. Today, though, they sit down together to talk about Lina’s recent training for healthcare customers. The webinar was a project Lina completed in her position as a cybersecurity specialist for Cisco. Before turning to the main topic of the interview, Mike explains that Lina has worked in security for many companies, such as FishNet Security (now Optiv) and Microsoft, but for the past 7-8 years she has been with Cisco.
This experience gives Lina broad knowledge of the security field, including the sub-section of healthcare security. Mike clarifies that, in a conversation with Lina on Twitter, he learned she had recently offered a training webinar to her healthcare customers. However, when he asked to watch it because of his interest in the topic, he learned it was not recorded. From there, the idea for the current podcast episode was born; Lina agreed to join Mike to share with listeners the healthcare security insight she shares with her own clients.
Jumping right into the content of the training, Lina shares that the training was a response to recent announcements and advisories about healthcare customers being targeted semi-overnight and about people seeing indications of large-scale attacks in the world. Lina wanted her customers to go into “triage mode,” focusing on security issues in order or importance. So, she applied game theory to help them think about their portfolios and assets, thus helping them pinpoint their priorities and necessary security tools.
As Lina went about this work of applying game theory, her isolation of priorities showed an amalgamation of various annual security reports, heavily favoring things like Cisco’s annual security report. There were no surprises in the data she collected, but there was a reaffirmation of the need for customers to focus on DNS (Domain Name System), email, and 2FA (Two-Factor Authentication). All three are, after all, critical to protecting the three environments blended within the healthcare space.
Looking directly at DNS, Lina and Mike discuss its value for rendering clinical technology useless for hackers. Moreover, they discuss the fact that healthcare companies often do not place ample focus on DNS, even though it is not challenging to talk with someone like Lina about and it can solve a lot of problems.
Switching gears, Mike asks Lina to explain her use of math in the sphere of threat intelligence and security. Lina provides a basic definition of game theory as it applies to her work, explaining that it looks at all possible outcomes or solutions to a problem, assigns value to them all, and ranks them. She explains how security workshops and visualization were not satisfying for her; she wanted to give more to customers. She wanted to offer numbers as she made prioritization recommendations, numbers concerning different technologies and revenue impact.
The concept of assigning values arose out of Lina’s sense that something was lacking in recommendations made to healthcare companies, and over drinks in Chicago, she and some of her engineer friends came up with a grid that assigned values and correlated factors, allowing for the determination of priorities. The work did not stay with Lina, though; it left her hands, and other Cisco team members turned it into an internal app.
As the conversation concludes, Mike and Lina, both vendors, talk about the failings many vendors often demonstrate—failure to listen to customers and understand them, making targeted recommendations rather than a blanket push for every client to purchase all available security tools. Mike points out the need to be better for customers, and Lina notes that, because of her company’s many competitors, she has to be different in order to stand out. And of course, she’s already demonstrated a commitment to serve her customers well!
– Mike introduces the episode and Lina.
– Mike shares how the conversation came about.
– So, let’s talk about the recent training webinar!
– What priorities emerged from Lina’s work?
– Mark and Lina talk DNS.
– Mark wants to switch gears and explore Lina’s decision to apply math to her work.
– How did the concept of assigning values come to be?
– The grid left her hands and was made into an internal app.
– As vendors, Mike and Lina offer thoughts on common vendor failings.
0:00:02.9 Speaker 1: Welcome to In Scope, The Healthcare Security Podcast. Each episode, we bring you interviews, technical tips and a unique point of view on the challenges facing the ever-changing healthcare ecosystem. Here’s your host, Mike Murray.
0:00:21.4 Mike Murray: And welcome to another episode of In Scope, The Healthcare Security Podcast. As always, I’m Mike Murray. Today, I’m really excited. I have a friend of mine who I’ve only really known virtually. And we’ve actually just been catching up and getting to know each other face-to-face, as one does in 2020. Really lucky today to have Carolina Terrazas with us. She’s a cyber security specialist over at Cisco. Has worked at a bunch of different places. FishNet Security, for those who remember FishNet from about 10 years ago, really cool company out of Kansas City. She spent some time at Microsoft and has spent the last seven or eight years at Cisco, where she’s done all kinds of really interesting things.
0:01:01.8 MM: And I wanna say how we got here, ’cause it’s kind of a fun story. We were talking on Twitter, and Lina said that she had just done a training for a bunch of healthcare customers, and I said, “Can I watch it?” Because obviously I like healthcare security stuff and kinda nerd out about it. And she said, “Well, I didn’t record it,” and I said, “Well, then come on the podcast and let’s talk about it.” And so here we are. So Lina, welcome.
0:01:27.1 Carolina Terrazas: Thank you, thank you for having me.
0:01:28.9 MM: No, I’m so excited. So let’s talk about the training you did and what you told everybody? Let’s tell all the other healthcare customers what your healthcare customer is like?
0:01:38.8 CT: Dodge a bullet to secure all the things. No, I’m totally kidding. I make fun of vendors all the time, even though I’m a vendor, so it’s a fun pastime. So the webinar I basically had was in the midst of all of the announcements and advisements around healthcare customers being targeted sort of semi-overnight and people seeing indications that a large-scale attack was getting ready to be launched. And so I wanted people to sort of go into triage mode and apply a little bit of game theory to how they view their security portfolio, how they look at their assets. The problem… One of the many problems we have in security is, there are a bajillion tools out there. It’s really hard for people in leadership to understand what they need, and unfortunately, it ends up being very often, whatever the shiniest thing they saw, in a booth at RSA or in an article that someone sent them, or what… A rotating banner ad or something. And sure, that may be a very worthwhile tool, whereas you’re buying iron bars for a window and your front door is wide open, kind of thing.
0:02:49.2 CT: So I wanted to sort of baseline because I felt like I was having the same conversation a lot with healthcare customers where they would be super hyper-focused on their endpoint solution, then I would say, “What are you doing for DNS filtration?” And they would go, “What do you mean?” So just looking at things from a more macro view and making the assumption that you’re not gonna have unlimited funds or unlimited operational warm bodies to throw at a problem, a security problem. How do you prioritize? And so I try to use little bit of math to help people do that.
0:03:22.0 MM: And so what priorities did you come up with? You mentioned DNS.
0:03:26.2 CT: Yeah, so just showing an amalgamation of various annual security reports, obviously heavily favoring things like the Talos Cisco annual security report. And what we’re seeing, from a threat perspective, and nothing that I talked about would be a surprise to any of the security practitioners that listen to your podcast. Things like 91% of the time, malicious attacks were still coming in over email attachment, or 92% of the time, modern malware uses DNS for some part of the kill chain.
0:04:00.4 CT: And so simply by doing something reasonable in both of those arenas, the rest of your tools don’t have to work as hard, your analysts don’t have to work as hard, because you’ve knocked down the majority of what’s out there. So those types of conversations and applying that math to sort of a priority list.
0:04:20.9 MM: It’s funny to me how few… So if you talk to really, really good threat intel people, DNS always comes near the top of the list, but how many people don’t ever even think about DNS? It blows my mind, because to me, that’s one of the places you start, not the thing you add on fourteenth. And actually, I’m surprised there was one that you didn’t mention. I’m surprised you didn’t say 2FA.
0:04:45.2 CT: Oh, that was the next one down on the list. So I think I saved a screenshot of it. So if you look at it in order, it’s DNS, then email, then multi-factor authentication.
0:04:52.7 MM: That’s funny, ’cause in my head, it goes, 2FA, email, DNS, but at this point, we’re splitting hairs, right? It’s a coin flip. If you don’t do all three of those, you’re probably doing something wrong.
0:05:04.4 CT: Yeah.
0:05:05.5 MM: And especially in healthcare. And actually, you haven’t talked about this, but it’s something that I talk about a lot, is that healthcare is three environments blended into one, and it’s where I think the DNS stuff especially comes in. You’re IT stuff in a hospital, you’ve kinda got covered, you probably have Endpoint, you probably have some sort of network control, etcetera, etcetera, in your IT world, but on the clinical network, you can’t put Endpoint software on a CT scanner. Well, actually, that’s not exactly true. All CT scanners comes with some version of McAfee or Symantec antivirus from about 10 years ago, sometimes 15, but not really useful Endpoint software. So in that scenario, when it’s… And I use CT scanner as my default medical device in my head ’cause it’s just where I go, but when one of those devices gets popped, DNS starts to become an incredibly effective detection channel. Right?
0:06:00.5 CT: Yeah, absolutely. It’s gotta figure out, so whether it’s the geo-location portion of the kill chain, figuring out, “Okay, I’m a CT scanner in a hospital in Omaha Nebraska, and thus the closest malware payload server in AWS I wanna reach out to you is in Omaha.” If you cut the head off the snake right there, then it can’t geo-locate and it can’t get further instructions. Usually that’s a dropper file that’s looking for an actual payload and the payload never gets downloaded, or whether it’s all the way down the kill chain during maybe an exfiltration phase, or, “You’ve paid the ransom, here’s your decryption key.” That happens very often over DNS. So by disallowing those communications, it almost doesn’t… I mean it matters that one of your devices has gotten popped, but you’ve taken the claws from the lion, so to speak. They can’t hurt you if they can’t talk to the device, so…
0:06:51.7 CT: Yeah, I really wasn’t as aware as a security person that people didn’t look at DNS or consider it as part of their process until we acquired OpenDNS a few years ago. And so, it’s just the easiest thing to talk about. It’s one of those things, it solves so many problems. It’s one of the very few things I can actually recommend that’s truly set it and forget it, and yet it seems like a lot of customers I talk to, I’m like, “Alright, where’s your recursive DNS pointed at right now?” “Well, I don’t know, I gotta ask the DNS guy.” “Okay ask the DNS guy.” “Well, it’s pointed to our ISP or to Google.” I’m like, “Alright, and you’re trusting them to deliver you clean DNS? They don’t care, they just wanna resolve what you’re asking them for.”
0:07:34.4 MM: Exactly, exactly. And it blows my mind. Alright, I wanna switch directions ’cause you said something that I wanna nerd out about, you said I applied some math to it.
0:07:44.8 CT: Yes.
0:07:45.4 MM: And in one of our emails you said the word Game Theory, which is another favourite topic of mine. So what did you mean?
0:07:53.3 CT: Yes, for those of you out there that are… Maybe you’ve heard the term Game Theory, but haven’t really looked into it, the general concept is looking at all of the possibilities, all the possible outcomes or solutions to a situation, assigning values to each one, and then ranking them. That’s really all it boils down to in its heart and soul. And so I didn’t see any reason why that could not be applied to a security strategy, since you’re not gonna be able to satisfy all of the wants and needs and or predict all the outcomes. You have to figure out how to rank them. And so Game Theory is just in my opinion, a logical way to do that, that was kind of how I applied to this sort of webinar and the threat funnel thing that I sent you, is just making that visual. And then, I made mention of an app, internal to Cisco that didn’t start that way.
0:08:47.9 CT: So a couple of years ago, one of our really brilliant engineers, Joey Muniz, he’s probably not the only one who’s worked on it, but that’s the name that sticks out on my mind, came up with this concept of SAFE workshops, which we love our acronyms at Cisco. But basically is the idea of sitting down with the customer, looking at their entire network. And not just from a technical architecture perspective, but asking them questions like for a university, ’cause I was in SLED for a really long time. So I had a lot of university customers. “Where does your revenue primarily come from?” “Alright, well, we’ve got donors, alumnus, we’ve got the football stadium and it generates revenue, basketball games and bla bla bla.” “Alright, well, where does the data live that’s relevant to that research grant?” This is always a big one with the bigger universities. “Alright, where does the research grant data live?” “Okay, well, it lives over in this data center.” “What are the controls that’s sit between a bad guy and that data?”
0:09:44.5 CT: Okay, then making recommendations about where to focus their attention, not only based on just making sure that the most vulnerable parts of their network are protected, but making sure that it directly correlates to a revenue impact. Because that seems to get the ball moving with the cheque writers when you’re a CSO and you try to go ask for money. Is to be able to connect that directly to revenue. And so it did it in a really innovative, in my opinion, way and it was an all-day workshop, and we would sit down with customers and we’d draw these architectural diagrams, and then we would visually represent, okay, what sits between a bad guy in this data centre or these controls and map them out. And I was like, okay, that’s great, I guess. If you wanna go, say, I need these things and here’s why, because this is where data live, that’s effective and that’s awesome. But for me, being a little bit more math-oriented, I wanted to be able to attach more math to that, not just, these are the controls that sit between here and there, but okay, well, I can’t afford all five of those controls right now, which one should I buy? Well, we should be able to tell you. And so that’s where this concept of assigning values came to be.
0:10:57.5 CT: So what I basically did was over a lot of drinks at a bar in Chicago one day, [chuckle] in the sun, sit down with my engineer partners in crime after we did one of these workshops. And we just came up with a grid basically where we assigned to the top of the grid, the places in network or pins as we normally call them, in SAFE, where the data lived, and then on the left side of the grid we would assign all of the controls that actually had been extrapolating that further into which of those places in network were revenue generating and by how much and blah, blah, blah. But basically all we did was assign a value, correlate that and say, “Okay, you’ve got five different essential places in the network where you’ve got data that lives, and of the controls that apply to all five of those, this one appears common to all five, so this should be your first priority.”
0:11:48.3 CT: And so just by simple addings of ones to here and ones to hear, and then adding them all up, we were able to say, “This is your greatest bang for the buck at this very moment in time, from an overall architectural perspective.” And so that left my hands. Bill and some other folks on our team that are a little bit more script-minded, turned it into an internal app. So now you can go tell it all of these data points that I used to put into a spreadsheet and spit out a very nice looking chart that gets the same information. [chuckle] So that’s what I was talking about, the idea of acknowledging, okay, vomiting, a list of things, of tools that you could buy is not useful as a partner. If I really wanna help you, I should be able to help you not only acquire but operationalize the tools and in a way that’s in priority order mathematically to what will give you the most protection for the least amount of whatever effort, time, money. So that’s kind of the concept behind that.
0:12:52.6 MM: By the way, I’m with you on the rant about vendors things. You and I are both vendors, so we’re kind of reflecting on this. But I was just thinking as you were telling that story, how many vendors are not just out there saying, “Here’s a list of tools, buy more of them.” We need to be better partners to our customers. I think we could rant about that for days, but it’s one of those things, as someone who’s sat on the other side of the table, when I was a CSO, when the vendor shows up, and they’re just like, “Here’s what you should buy, buy all of it, ’cause that’s what everybody’s buying this year.” Or Gartner says that’s what you should buy. It’s like, okay, but do you understand my environment? And especially, we’re talking healthcare, a hospital doesn’t look like a bank. And if you’ve been in SLED, you’ve been in Healthcare, you’ve probably sold to all the other stuff too, if you don’t take the time to understand the customer, you just try and sell them the same thing over and over again… Sorry, I am on my soap box.
0:13:54.9 CT: No, no, no, I’m right there with you up on the ledge. I feel like just by virtue of walking everywhere with a Cisco badge is meaningless. I think there’s a perception that, “We are trust and we’re the best in all the things, and so give us a PO.” The security industry is different, you know that, I know that, people listening to this podcast probably know that. It’s incredibly fractured. If I put all of my competitors for all the solutions that we bought in our portfolio, if I put all of our competitors on a slide, you have to zoom in to even see what the logos are, ’cause there’s so freaking many of them. And so I have to be different. It doesn’t matter that I were a Cisco badge, no one cares. No one cares, they’ll go out and buy some two-bit startup that does one thing if it seems like it solves a problem, and they should. I have to be different. And I’ve been doing this long enough that it’s not interesting to me to just sell a widget, I have to solve problems or it’s boring.
0:14:50.8 MM: I completely 100% agree. With that, thank you so much for coming on today. This has been a blast. This has been so much fun. Where can the world find more of you?
0:15:01.6 CT: Yeah, I don’t know, on Twitter, I guess. I play a lot of Xbox. If you’re a commercial customer in the Kansas City area, you probably have heard or seen me darken your doorstep at some point or will in the future, but yeah, socially, Twitter, I’m @d0rkph0enix, the ‘O’s are zeros. You can find me, same tag on Xbox, I’m around.
0:15:30.5 MM: We’re gonna have to be Xbox friends.
0:15:32.7 CT: That sounds good [laughter]
0:15:33.5 MM: That’s hilarious. Alright thank you so much Lina this was absolutely fantastic.
0:15:40.3 Speaker 1: Thanks for joining us for this episode of In Scope. To make sure you never miss an episode hop on over to www.scopesecurity.com to sign up, or you can listen on Apple Podcasts, Spotify or Stitcher and if you have ideas for topics, guests or technical tips please contact us at [email protected]
ABOUT THE GUEST
Carolina Terrazas has been working in infosec for 12 years, the last 7 of those with Cisco Security, where she has worked with everyone from public sector customers to healthcare, manufacturing to financial customers, and everyone in between. She lives in Kansas City, Missouri, with her 3 dogs and cat. She loves cooking, exploding malware in cloud sandboxes to poke it with a sharp stick and see what it does, the Chiefs, Royals, beer league softball, music festivals, and poker. She is a member of the Cisco CTF team and most recently went on tour with the pumpjack CTF, created by members of Cisco Talos. A self-described gin taste tester, she also loves Call of Duty, cars, and is the slowest runner you’ll ever meet.