The failings that lead to hacks are not hard to find – technology monoculture, the assumption that making networks easier to manage has no effect on security, and an unwillingness to be paternalistic about security.

Alex StamosThe world has entered an unstable era, dominated by expanding geopolitical flashpoints, including Ukraine, the Korean peninsula, and the Middle East.

While few of these conflicts are new, what is novel is the way that they are now mirrored in the cyber world in increasingly complex and consequential ways. This digital realm isn’t secondary, a mere reflection of events in the physical world. Increasingly, it is an underlying driver of conflict in its own right, argued SentinelOne CISO Alex Stamos at ISC2 Security Congress 2024 in Las Vegas, in his keynote Congress presentation, Building a Trustworthy Company after the Tech Calamities of 2024.

“Even by the industry’s crazy weird standards, 2024 has been impactful,” opened Stamos, who believes the root cause of this is the end of a historically benign time of Pax Americana. Today, countries increasingly go their own way, and this is generating conflicts that play out in cyberspace as a proxy for kinetic battles.

“Cyber has become one of the key tools of geopolitical conflict. Cyber is one of the first things states look for when they are trying to affect global affairs.”

It’s a facet of modern geopolitical conflict that’s not always appreciated. Nation state cyberattacks are not simply another channel of conflict, increasingly they are the conflict.

Critically, cyber is a leveler. Stamos used the example of a country stealing the plans for the U.S. F-35 jet. If a nation were able to obtain such plans, barely any of them would be able to replicate its technology. In contrast, the code for a stolen cyberweapon could be cloned within hours or days, even by a small group of programmers.

“We know this because this exact thing has happened. We have lost the source code to American weapons that taxpayers paid for, and they have been put into weapons used against American companies,” said Stamos.

At the same time, countries can exploit a lack of clarity about escalation. Countries have no examples to point to of cyber conflict turning into kinetic conflict. This encourages countries to think they can get away with cyberattacks and so far, they have been proved correct.

Today, the list of organizations that might be a target of a nation state attack has expanded beyond the direct targets to include anyone connected to that target in its supply chain, possibly thousands in number.

What You Know Will Hurt You

Stamos highlighted some of the most significant recent cyber incidents, starting with the incursion into Microsoft Exchange Online in the summer of 2023, a serious attack later uncovered by a third party rather than Microsoft itself. The U.S. Cyber Safety Review Board (CSRB) later produced a stinging report highlighting weak platform security practices that led to the incident. According to Stamos, there are lessons in this report for every CISO.

“I have made every manager on my team read this report and I strongly recommend every CISO in this room read this report.”

The reason is that the attack offers a good example of how a high-level adversary targeted a real network and methodically uncovered a weak spot. But there are other reasons.

“Your entire security program is as good as the stuff you have not finished yet,” said Stamos.

Almost everything the criminals exploited were vulnerabilities Microsoft already knew about but were still working to fix. The problem is that every company has these vulnerabilities, usually for good operational reasons.

“The PLA doesn’t care if it’s 95% done.”

Be Paternalistic

Stamos then turned to the June 2024 incident affecting customers of cloud provider, Snowflake, which still maintains it was not breached. “All its customers were breached but they themselves were not breached,” Stamos explained with a wry smile.

A problem with the security industry is that it builds security products that only work if they are used perfectly, he said. A weakness revealed by the Snowflake incident was that organizations should not assume users will make the right security decisions, in this incident, securing their accounts competently using MFA. Security is about making complex decisions for customers so that they don’t hurt themselves.

IT Monoculture

The summer 2024 CrowdStrike outage was arguably the worst IT incident in history. “IT teams build beautiful bridges,” said Stamos, creating an analogy for this event. “And what do security teams do? We rig it with C4.”

The lesson Stamos takes from this incident is the dangers of monoculture, namely everyone using the same IT or security product manifesting the same weaknesses. CrowdStrike, for its part, was wrong to claim that any security product could have caused the same problem. A vendor is always responsible for its own failures and shouldn’t hide behind an idea of collective responsibility.

“Monoculture is really dangerous. Second, security products are innately dangerous.”

Stamos’s conclusions were that organizations should embrace heterogeneity because it makes life harder for attackers. Second, it follows from this that increasing friction in a network – for example forcing admins to authenticate to different domains even though this is less convenient – is another way to improve security by design.

Build multiple identity domains, disconnect cloud providers, red team east-west movement and embrace heterogeneity, said Stamos.

“If you have to take over multiple systems to have the equivalent of a domain administrator in different places that can be really powerful.”