Former FBI Cyber Agent Jason Truppi Talks Government, Private Sector Security

Jason Truppi has lived three distinct lives over the course of his career. The long-time technologist became an FBI agent, where he served as a Cyber Agent in New York City and eventually served as a supervisor at the FBI Cyber Division before reinventing himself again as a technology entrepreneur.

Truppi has a wealth of experience with cybercrime, from data breaches and hacktivism to cyber extortion attempts. He now puts that experience to work as the Director at Tanium, an endpoint security and systems management company where he helps advance the security industry and defend against attacks on an enterprise scale.

International Business Times: There have been a number of high-profile, state-sponsored cyber attacks in the last year. Do state-sponsored attacks pose a more serious threat for organizations than any other type of threat actor and do such attacks typically require a more sophisticated defense?

Jason Truppi: Advanced threats are only as advanced as an organization's security posture. In the case of the DNC hack or the WannaCry incident, for instance, these were not the most sophisticated methods of intrusion. Most threat actors, regardless of their skillset, will use the path of least resistance – or the minimal technique necessary – to conduct an intrusion. If an organization struggles with accurate and complete patching cycles, visibility of all their assets, vulnerability management and shadow IT, then any threat can pose a serious risk. The goal of security is to impose cost on the adversary and it starts with basic hygiene, which most organizations are not implementing properly. If you master basic hygiene techniques then you can focus on layering more sophisticated defenses such as operationalizing threat intelligence, endpoint detection and response, threat hunting and anti-malware protection.

While state-sponsored attacks are certainly concerning, the impact is usually felt longer term and is more strategic in nature. What is more concerning are destructive attacks such as ransomware and wiping viruses that are on the rise and are being deployed by both nation-state and criminal hackers. According to the Verizon Data Breach reports over the last few years, state-sponsored hacking has been a low percentage of the total number of attacks per year and was on a decline in 2014 and 2015, with a recent spike in 2016. Regardless of the low frequency of intrusions that we know about, nation-state hacking remains a concern to many global organizations. The organizations that have perfected the basics and are concentrating on more advanced defensive techniques will have reduced their risk considerably.

IBT: What tend to be the most difficult vulnerabilities for organizations to defend against and how can they improve their defenses?

Truppi: The most difficult vulnerabilities that organizations face are the ones they don’t know about. Many times when we deploy Tanium, not only do we obtain visibility into the majority of assets in an organization, we have the capability of finding unmanaged assets, or shadow IT. We typically find ten to twenty percent unmanaged assets in enterprise environments. That means if you think you are 90% patch compliant on the 80% of the assets you know about, you are really only 70% patch compliant. These are serious problems that enterprise organizations are facing on a daily basis. Assets appear and disappear over time, which are very hard to track at scale, and unmanaged assets are prime targets for attackers looking for an easy way into your network. Asset visibility is the first step in managing risk to vulnerabilities.

Once you have the visibility of your assets, the next hardest thing is identifying the vulnerabilities and mitigating your risk through remediation. This requires full control over all of your managed assets. This is extremely difficult for most organizations and generally requires manual intervention.

Another major challenge I’ve observed with vulnerabilities, even if you have the level of visibility into your assets, you understand your vulnerabilities and you have the capability to remediate at scale, you need to continuously assess your environment for frequent changes. When a major vulnerability is disclosed, the response should not be a one time response, you should have the capability to continuously assess your environment with little operational impact.

IBT: Is there anything government can learn from the private sector and vice versa when it comes to cyber security?

Truppi: The government and private sector have been learning from one another for many years regarding cyber security. The past two Administrations have emphasized public/private partnerships that have successfully taken shape. An organizations like the National Council of ISACs is a great example of Department of Homeland Security’s effort to share threat intelligence and create an open dialog between government and private sector.

The larger focus now is how to fully operationalize the data that is being shared and how to share intelligence faster and more efficiently. To a certain extent there still seems to be a gap in what data should be shared back to which government organization by private sector organizations. Some of the questions have been answered in Presidential Policy Directive 41, which declares FBI, DHS and ODNI the lead agencies for threat response, asset response (mitigation) and intelligence support respectively, but private organization struggle to understand government's role in responding to major threats to the private sector.

Outside of the official organizations dedicated to the partnerships I believe that government could improve on its understanding of the operational impact on organizations for applying threat intelligence and complying to government regulations. This is an area of concern to many organizations. Government and private sector cooperation is the only way we are going to move the industry forward and close the gaps on the major threat actors.

The government can also learn to innovate faster from the private sector. Organizations like the Defense Innovation Unit Experimental (DIUx) have streamlined government procurement processes to allow government organizations to use emerging technologies in meaningful and impactful ways at a speed never achieved before.