If you ask Tom Sego, “How did you get into this business?” Tom might answer with a humble and hilarious,
“I have never been qualified for any job I’ve had.”
Throughout the first 20 years of his career, Tom had never worked in the same function twice or industry twice. Learning on the job led him to work in heavy equipment sound suppression, pharmaceutical manufacturing, environmental management, corporate strategy, and sales operations at Apple.
Tom believes it’s the lack of fear of not being the smartest person in the room led him to co-found a mobile telephony company, a solar storage company, a wine importing business, and a cyber-security company in addition to playing poker professionally for a period of time. Sitting down with Tom to talk about his work at Blastwave was a genuine pleasure.
M.R. Rangaswami: What did you see in the marketplace that prompted you to start such an ambitious company?
Tom Sego: I was reading Wired Magazine a few years ago and got completely absorbed into an article from Andy Greenberg about the first of its kind cyberattack on the Ukraine power grid. In a nutshell, an unknown adversary was able to hijack the Ukraine power grid remotely and shut down power to 230,000 homes.
This was frightening in three respects. The first is that so much damage could be done to our critical infrastructure because of the increasing need for connectivity and remote access. Being air-gapped is no longer a viable operations strategy as many services are Internet-connected. The explosion of industrial IoT devices and use of valuable associated data mandate a level of connectivity that wasn’t necessary a decade before. The second is that attribution of the assailant was almost impossible to ascertain – it’s tough to get caught. So, if our critical infrastructure was experiencing a digital revolution in terms of connectivity and adversaries could attack it cheaply and effectively with impunity, this is a problem that warrants serious investigation. As a side note, the third scary part of this was that the US was in worse posture than Ukraine in terms of network segmentation, so we are even more vulnerable.
Some people might read that story and say, “that’s interesting – I’m glad it didn’t happen here; I will continue on with my life”. But my entrepreneurial mindset prompted me to start digging deeper and assess what I could do to improve the situation. From my research, I discovered that vulnerabilities were accelerating while spending on security products and services was increasing. My optimistic gut told me what it has told every inventor since the dawn of time: There must be a better way.
M.R. Why are security attacks happening more frequently and with greater severity, while spending on cyber products is increasing?
Tom: This one is simple. What we are doing isn’t working. It is a function of both changing requirements and technology disruptions that have altered the ecosystem. There have been three fundamental technology shifts that have dramatically changed the cyber security landscape. The internet of things and 4th industrial revolution (digital transformation) have put literally billions of devices into our industrial environments that pump out terabytes of data. These data are being used to create improved digital operating models via artificial intelligence and machine learning. That sounds great, doesn’t it? Well, it is great for predictive maintenance and other use cases. But, it’s not great in that all of these systems are now connected in a way they weren’t before. That connectivity makes it much easier to remotely break into operations and manufacturing environments from anywhere on the globe.
The second technology shift has come from the advent of cryptocurrency. Bitcoin and others have enabled seamless monetization that can be done anonymously (anywhere on the globe). Ransomware attacks increased 900% last year according to VMWare Carbon Black, which was additionally aided by the sudden work from home requirement for remote access. Ninety-eight percent of ransomware payments were made with bitcoin, according to insurance broker, Marsh.
The third technology shift is the democratization of hacking software tools. This has taken two forms. One is a series of marketplaces in which adversaries can purchase and download viruses, worms and trojans that can be used to perpetrate ransomware and other attacks. The second are services, like Ransomware as a Service (RaaS), making it much easier for professional cyber groups to inflict damage or extract larger payments. So that explains, why cybercrime is gaining momentum: it’s easier, cheaper, and it’s hard to get caught. That doesn’t explain why the increased spending isn’t thwarting their efforts more effectively.
My hypothesis is that the industry has been mired in the traditional approach of “detect and patch” – a game of “whack-a-mole” with an average of over 100 days between detection and widespread patch implementation. In the cyber security world, they use fancier language: threat detection and threat remediation. Recent entrants and increased spending have been directed at detecting and patching faster with AI/ML as accelerators, but fundamentally, it’s still reactive. My insight and the founding of BlastWave was driven by the simple question, can we come up with a “first principles” method of prevention. The old model might be OK for enterprise security teams to prevent names, addresses and social security numbers being stolen or held hostage. But, for critical infrastructure that in many cases simply cannot be patched, we must do better.
M.R.: What are the most important things people can do to protect their most important assets from cyberattack?
Tom: We have witnessed four devastating cyber-attacks in the past three months:
1) The SolarWinds attack that affected 18,000 organizations
2) The Hafnium Microsoft Exchange attack affected 30,000 organizations
3) The Oldsmar Florida Water Treatment plant that attempted to poison a municipal water supply
4) The Verkada camera breach that allowed 150,000 cameras to be exposed, including Tesla factories, gyms, schools, etc.
All of these incidents used widely different tools and had varied levels of sophistication, but the common threads were the same:
a) stolen credentials to gain access
b) reconnaissance of the various networks to identify ways to implant malware
c) the capability to move laterally within a given network, and finally
d) the ability to either directly remote control or install backdoor software to enable remote command and control.
(For us security nerds, this is called the “Cyber Kill Chain.”) As a result, the most important thing organizations can do is to shut the metaphorical “front door” with multi-factor authentication, making it harder for adversaries to gain access in the first place. This single action can make it harder to acquire credentials in terms of usernames and passwords that get phished or cracked. However, multi-factor authentication is not good enough. A better solution is to eliminate usernames and passwords altogether. They are a relic of the 1960’s and 70’s. If there is no username or password to steal, unauthorized access is much more difficult. Our flagship product, BlastShield, has password-less MFA authentication experience similar to ApplePay or GooglePay, with an extra component that prevents what are called “replay attacks”.
A second action that I would encourage is for CISO’s and organizations to go through a process to identify their critical assets or “crowned jewels” and protect those with a cloaking distributed software-defined overlay like BlastShield.
With the pandemic accelerating cloud service adoption and increased work from home (WFH) environments, it is imperative that organizations don’t use hope as a strategy. Moving to MFA and identifying and protecting your most important assets and data is a huge leap forward. Maybe some other time, we can talk about how to systematically address the root causes of the events like the four I mentioned earlier.
M.R. Rangaswami is the Co-Founder of Sandhill.com