We recently met with Jeff Schilling, Chief Security Office of Armor, a cloud hosting company that takes security very seriously. Their focus on security (not just compliance) led to an interesting conversation with Jeff, whose background in Dell SecureWorks and the U.S. Army is enough to warrant another interview! We hope you enjoy it and learn about a new cloud provider that is focused on regulated spaces like FinTech.
Let’s jump right in!
Patrick Rivenbark: Why start Armor to begin with? Why weren’t other cloud providers out there?
Jeff Schilling: More and more companies are moving their most important and regulated data to the cloud, where hosting companies fall short in providing a full security solution for their customers' data. When reading the fine print: a majority of cloud providers are merely protecting their infrastructure (Hypervisor and below) while leaving it up to the customer to protect their virtual environment. Customers new to the cloud are overwhelmed when they realize they don’t have the security staff or experience to manage security in the public cloud. That’s where Armor can assist by providing security to public cloud hosting and filling in the gaps other providers can't.
Armor is also the first Totally Secure Cloud Company, offering our customers a hosted solution, a virtual private cloud where we provide a full-stack security solution.
PR: Armor has a great saying, “Threat Actors Don’t Care If You’re Compliant.” That’s so important to understand. Can you expand on that?
JS: Compliance standards tell an organization what they MUST do to meet a particular regulatory requirement. At Armor, we’re focused on outcomes. In order to adequately protect data, there is a host of security operations activities and controls that you SHOULD do that are not covered by a compliance standard. Compliancy does not equal security. Rather, requirements should be looked at as a subset of what you SHOULD be doing in order to secure your environment.
PR: How do you keep up with the massive amount of threats in the world?
JS: Data, data and more data. We collect and analyze more than 150 different data feeds to determine what the consensus of the cyber threat research community considers a "known bad." Our Threat Resistance Unit (TRU) applies the knowledge we gather and integrates it into our security controls, allowing us to stop the low-hanging-fruit attacks from the commodity threat actors. This procedure “removes the hay” from the haystack and allow our security team to rapidly identify the more sophisticated needles, or actors, who have advanced operational processes. Another component of our strategy is to present a small surface area of attack by having a hardened, well-patched environment. This deterrent serves to increase the level of skills a threat actor needs in order to successfully compromise a host in our customer environments. Once a compromised hosts in our environment has been identified, TRU contains and eradicates them in less than 24 hours.
PR: We’ve seen several recent cyberattacks – WannaCry and Petya. First, what important information isn’t being discussed in the media? And how does Armor approach these types of attacks?
JS: Both WannaCry and Petya have had a tremendous business impact on many global companies. Many IT security executives and directors lost their jobs as a result because, in all honesty, they should have been ready. The patch for Shadow Broker tools, EternalBlue and DoublePulsar was released in March 2017; a large effort was made to sound the alarm and educate those that this was a critical patch that could have major implications if not used with haste. However, notifications went ignored or IT departments lagged issuing the patch and just two months later, the result was the WannaCry event.
As for Armor, we realize the absolute importance of keeping your system up to date and patching our management pods & corporate systems within 30 days. While working to develop custom Network Intrusion signatures to detect WannaCry and Petya activity, we quickly provided the patch to our customer VMs and even went a step further to scan our customer environment, looking for servers with port 445 and 139 open, which allows EternalBlue to connect to a vulnerable system. Luckily, Armor identified only a few customers who had these ports open for operational reasons so, we moved swiftly to ensure that they were patched.
PR: As you protect more sensitive data for financial services companies, the target on your back only gets bigger. How do you continue to remain secure as you grow?
JS: Everyone who hosts important data, like financial and payment card industry information, carry a target on their back. While our company has been targeted for attack in the past, the threat actors are really after our customers. As Armor continues to grow, we are leveraging best-of-breed security tools and talent to ensure we provide the same level of security protection as we do today. To stay ahead of threat actors who continue to impress me with their maneuvers and persistence, we are automating our processes to make our security analysts more productive.
PR: What advice would you give FinTech startups about their cybersecurity efforts?
JS: Secure your data environments from day one. From the time you stand up an internet server in the public cloud, threat actors are scanning it for vulnerabilities and attacking it within 10 minutes. Many FinTech startups don’t adequately protect their development environments from cyberattacks. There’s a misconception in the industry that they don’t need to bake in security until they have live data in their environment. If these companies were brick-and-mortar businesses, then that would be the equivalent of neglecting to put locks on the doors of stores until they’re open for business. It’s a bad judgment call in a brick and mortar business, as is not building out a secure environment in the cloud as software is developed.
PR: What’s the one thing everyone reading this should understand about cybersecurity that they most likely don’t know today?
JS: Everyone's a target. The “Big sky, little bullet” approach to security will not work out for you. Threat actors are getting more sophisticated and are attacking environments as soon as they are provisioned.
PR: What are the most recent things you’ve changed your mind about when it comes to cybersecurity?
JS: Over the last year, I have been emphasizing that ransomware attacks are becoming more commonplace than credit card theft. As bank fraud detections get increasingly better, the amount of time a stolen credit card number is of value is shrinking. Unauthorized credit card transactions are now blocked before threat actors can gain the fruits of their labor. This has driven down the value of stolen credit card numbers on the Dark Web to the point where, I suspect, these actors will pivot to locking out the victims from their data and demand a ransom. I predict in the EU, the new GDPR rules that go into effect in 2018 will be used as leverage for ransom.
As an organization, can you imagine if you are faced with a $20M Euros fine in the event of a breach and a threat actor offers to give you your data back for $1M Euros? I am pretty sure that is a deal most CFOs will take. Don’t let yourself get into that situation. Instead, protect your environment from day one.
Thanks for joining us, Jeff!
About Jeff Schilling:
Jeff Schilling, a retired U.S. Army colonel, is Armor’s Chief Security Officer and is responsible for the cyber and physical security programs for the corporate environment and customer-focused capabilities. His areas of focus include cloud operations, client services, quality analysis, software development and engineering.
Previous to joining Armor, Schilling was the Director of the Global Incident Response practice for Dell SecureWorks where his team supported over 300 customers with incident-response planning, capabilities development, digital forensics investigations and active incident management. In his last military assignment, Schilling was the Director of the U.S. Army’s global Security Operations Center under the U.S. Army Cyber Command.