Editor's note: This article originally appeared in our sister publication SC Magazine UK.
Focusing on three incidents in 2024 that he believes changed the way we work, SentinelOne CISO Alex Stamos said there are many lessons to be learned from this year’s experiences, and most can be met relatively easily
The first was the Chinese intrusion into Microsoft in 2023, which was spotted by a government user rather than the company itself. In the incident, an unknown user was opening mailboxes and Microsoft was unable to say who it was.
“There was this big report and I've made every manager on my team read this report, and I strongly recommend every CISO here read this report,” he said. “Why? You don't have the exact same problems that Microsoft has, the actual bugs in this are very specific to Microsoft, but there's a bunch of lessons in this report that apply to every company in here.”
These include: if you are facing a high-end adversary, “this is a great lesson in what that looks like” as it details how the adversary mapped out the network, found a weak spot that allowed them to sign tokens to get into a mailbox on Microsoft Exchange.
Also, Stamos said that “half finished security projects will completely destroy your model” as “your entire security program is as good as the stuff you have not finished yet.” He claimed that every person in the room has a security project “that should have been done and is not quite done yet” and that is where an attacker can get in.
Customers at risk
The second incident was related to Snowflake, whom Stamos said “made product decisions that put their customers at risk and meant that all their customers had their data stolen - but they themselves were not breached.” He said they have logins, but their native login stack wasn't very well designed and as a result, “it was hard for companies that have Snowflake instances to add settings to force employees to make it secure to require MFA to monitor what is going on.”
This enabled an attacker to do a credential spraying effort on Snowflake, using breached passwords, and they were able to download customer data. Stamos said there needs to be better consideration of user’s safety, and enterprise companies “have to build for safety, we have to actually meet people where they are.”
Monoculture to blame
The third incident was the Crowdstrike update of July 19, where Stamos said “we’ve ended up with a massive amount of monoculture where very few companies end up with multiple security solutions.”
He said: “They decide we're going to employ one security solution for the entire enterprise for everything: for servers, for clients, for every region, for every data center, Companies did this and found it was a bad idea. They deployed it for their Prime site and their business continuity site.”
However with the troublesome update, this caused screens to go ‘blue’ in both sites, and Stamos said a learning point here is “we're not going to run our primary in our backup sites, using the same stuff” and said monoculture “is really dangerous when it comes to security products, but I think that's going to be true for IT overall.”
Also, Stamos said the incident proved that security products are innately destructive, and vendors have “to really earn the trust back of the people who deploy them,” and security teams need to demand their vendors “are not just going to accidentally blow up your stuff, but also that we build our products to help you.”
More friction
Looking at learning points, Stamos encouraged more friction in product selection, and a need to end up with heterogeneous infrastructure and security solutions, as this can make things hard for attackers.
“If you build enough friction in, if you do things like you disconnect your identity domains, you make IT admins authenticate to different domains at different times, if you create heterogeneity so that you have to take over multiple systems to have the equivalent of the domain admin, that can be really powerful,” he said.
