Thomas Ruoff
By Thomas Ruoff on October 18, 2021

Q&A with Thomas Ruoff

Thomas, thank you for taking the time to talk with me today. Tell us about your background.

My name is Tom Ruoff. I am the VP for Control Cyber Risk, specializing in risk reduction process development for organizations. I’ve spent 35 years in information technology and the intelligence community. Starting in the Air Force, I had the opportunity to work at the Defense Intelligence Agency as a whole source analyst. I worked with information from varying degrees of classification and the IT systems that both supported and collected that information.

From there, I worked with National Security Agency, where I spent several years in both collection processing and analysis, and ultimately into the Information Assurance Directorate working with those doing cybersecurity, and then with the National Imagery and Mapping Agency. Now it’s called NGA (National Geospatial Agency), working with the CIA to develop the nation’s imagery and mapping infrastructure. I got a chance to develop many skills and technologies dealing with the equities of the customer set.

Help me understand what you mean by the equities?

So, let’s take a bank, for example. You have to share information, and you have to protect information. You are providing information to users but are required to protect it by the same token. This is the normal tension in security. You have the user who has to be able to receive and use information, and then you have the IT side and the security side making sure that the information and the systems are protected. Those are the equities, the interests-normal requirements to use, and the requirements to protect.

When I was working with the CIA, it was “where does the information come from?” The answer was “You don’t need to know that.” Well, you’ve given me an image of someplace on the planet; you have to be at least able to provide us with something for the analyst function, the needs to be metadata about that. The CIA believed they could not provide that. So, we had the equities of collection and use and also between and in the background. It’s a healthy tension we find everywhere. Probably equities may be a better way of expressed as requirements normalization and the respect for the different stakeholders inside the enterprise for what their jobs are- while knowing that sometimes there will be conflict and how to resolve that conflict in a win-win method.

That’s super helpful. What I heard, too, was how a piece of information has context. You know it’s going to have contact with the context for the party sharing it. How you create the best practice is about protecting those interests while securing information. We work with agencies that need data to communicate and are highly regulated. The information must be made useful for their agency and constituents. Tell us about the assessment process.

Our approach is unique because we always start with the business process and focus almost entirely on the business process and how IT and security are compatible with that.

We have a three-step process. The first step is to identify the business processes, specifically the business essential functions (BEFs). We go into an organization, and we understand what the elements of the organization do. So, if there are maybe four or five divisions, what do those divisions do? What are the subcomponents of those divisions, and what are the business essential functions conducted there?

Then we ask what information resources do you use to do that? What do you know? Are you using email or using web content? How do you receive it? How do you process, and how do you then produce your content? With that understanding, we then ask what would be the consequence if, through disruption of either your IT or your inputs, you could not perform that BEF? What's the impact? That sets a business threshold to focus our efforts within the enterprise on those things that would have the most significant consequence if interrupted.

We are extremely economical in applying our analytic tools, both the automated tools and the recommendations for the staff. What we find in this first step is understanding the BEFs— the way things work. Understanding what we need to focus on and the impact defines where we focus.

For example, everybody is always concerned about HR, but, in our experience, HR is probably the least impactful element of an organization if it is compromised. You can do your functions without a functional HR department for about 2-4 weeks, right? You cannot function if you can’t reach out to your customers. ImageSource, as an example, doesn't work if the professional services staff aren’t in contact daily. If software development staff can’t do their job, the whole business process of the organization comes to a halt.

I’m hearing that the risk is still there, and the impact on the individual might be high, but the value of that particular content or information doesn’t convert to a cost.

Correct. For example, people always think of HR because they can go in and take personally identifiable information. That’s true, and there are fines or penalties associated with that, but an organization can live through an HR security breach reasonably effortlessly. However, the Accounting department in a company with many transactions that open and close rapidly with many vendors, it’s just the opposite.

In a customer-facing company like ImageSource, you can carry on for days and weeks. The BEFs are professional services, software development, and deployment. We found that to protect an organization, conduct interviews, integrate policies, and all the other tasks associated with shoring up a cyber security policy. We have to convey that to the leadership and the staff in an understanding way-with sensitivity, respect, and dignity. Nobody wants to hear that what you’re doing is actually of almost no value to the organization. That doesn’t help at all, and very rarely we found that to be the case, but there are priorities that leadership needs to set. Those priorities do not necessarily reflect the business value but from a cyber security perspective. The value is the cost is associated with the risk.

We look at the BEFs and the IT support of those functions. Then we break that down into three parts. It’s the human beings (the staff and users), the processes and policies, and the technology. So, Then we look at IT and the IT dependencies. We ask, “What could go wrong? How many IT/ security people do you have? What happens if somebody gets hit by a bus, quits, or does something malicious?”

For the processes and policies, we ask, “What are you trying to enforce? What are the technical means to do that?” We assign a dollar value for an incident. For example, at ImageSource, we looked at all the departments, interviewed all the department heads, and determined with them, jointly, the BEFs. We decided what functions would have the most significant detrimental effect on the organization if they were not performed. What could cause those functions to cease? How could an event like that occur? This process leads to a technical risk assessment in dollar terms.

We assign the business functions a risk factor equaling a dollar figure. For example-and these are made up numbers-if the ImageSource Professional Services team was unable to work for one day, which costs $100. Two days, now it’s $300, it’s not linear. Three days probably $2000. Why? The build-up and the cadence of their work are such that now they’d not only have to make up for lost work, but they also have to make up for reputation, etc. This risk is assessment. It’s looking at it from the lens of the impact and a security viewpoint on the business. 

What can be done about it? We also provide a set of mitigations. During the risk assessment, we define and document the risk tolerance of the customer. For example, when we worked with ImageSource, we went back to the leadership and said, what’s your risk threshold? What degree of compromise are you willing to accept in terms of the business rhythm? What can ImageSource put up with? We come up with mitigations from that assessment of the risk threshold and the current risk exposure. So when we add up all the BEFs, the risk factors, and the current risk exposure, we derive the dollar value associated with an interruption of that business function. The sum of all of them is the entire enterprise risk exposure, the expected value per year that the company is exposed to.

Thank you for being thorough. What did you find when you went through the assessment at ImageSource? How did you find ImageSource to be complying? What are the areas for improvement?

In the case of ImageSource, with the history and the pedigree of ImageSource, they started small and have been wildly successful in getting and maintaining a large stable of very large customers. They’ve been extremely successful, but like all companies, their focus is on developing the ILINX product, providing customer maintenance, and growing the install base. They have legacy practices and procedures for IT security. We were able to demonstrate and help them understand that, with their growth, they also become a target because successful companies appeal to criminals.

The upside of being successful is growing your revenue, client list, and capabilities, but you also become very attractive to cybercriminals. As a consequence, you have to keep up. So when we reviewed the ImageSource profile on the internet, it was adequate, maybe seven or eight years ago, but needed to be tidied up in terms of the IT security vulnerabilities. There were some services hanging out that were internet-accessible that would be attractive to cybercriminals.

With everybody else, the number one thing we look at is-What is your Internet presence? We do that with a set of proprietary automated tools that scan externally. That’s what the bad guys do. They scan companies and say, “Oh, look at all these printers,” or “Look at all the remote applications that we can get into.” Access points are easy to exploit, and that’s the approach bad actors take. One tool is internet-facing exploitation. The second thing we looked at was the email and web culture. Who is your email provider, web provider, suppliers? What controls do you have in place? What practices do you have to minimize the occurrence of ransomware attacks? As you intake content, what are the processes procedures, and technical controls you have to do? We look at the inputs. Lastly, looking at the practices and policies that are internal. If there were a compromise, would the adversary be able to get at those resources? Those resources are of such value to ImageSource that you’d have no choice but to pay.

What we found was that ImageSource was unique in that they had an understanding of their value to their customers. That insight made our job incredibly easy because it wasn’t us telling them. We jointly came together very rapidly and understood that if there was an incident, this is the behavior that would have the most significant impact. These were our recommendations, and the leadership got to the recommendations before we did. They were very, very clear. Hats off to the leadership at ImageSource. They did their homework and understood their business-essential functions, where they sit in the marketplace, and what could jeopardize that. As a consequence, they quickly enacted the first set of remediations, which is step two.

ImageSource understood that their success was their liability because they have a  high profile. They have to exhibit diligence to ensure that their risk is not passed on to their clients. ImageSource has taken steps to reduce the probability of a cybersecurity incident at ImageSource ever leaving ImageSource and affecting its partners. That is an excellent supply chain attitude and view that you know, if others adopted, would pose a challenge to the cybercriminals because that’s the way they work. They work up to the supply chain. The second lesson we learned from ImageSource was their understanding of the need for segmentation security and backup recovery within their ILINX development environment. When we walked in, we were highly impressed. We continued to be impressed with the level of professionalism, maturity of the ILINX development staff. They bring security to the top of their workflow.

Thank you. I heard earlier tension between individuals understanding personally identifiable information- you used in that HR case as an example. Still, the value of that information is low. I have found that in other technology areas, what somebody understands as an individual is where they'll attach importance without trying to understand the real weakness. What is the best thing to do strategically? How to apply ideas throughout an organization? How do you help organizations understand the highest risk and eventually predict and correct proactively?

I think you're right about the tension. These are critical or crucial conversations that take a great deal of sensitivity. When we walk into client sites, we uncover problems that are difficult to address sometimes; They may have been cultural or financial, We are not always the bearer of good news, and in that, itself, presents a challenge. But again, having done this for decades, the processes we go through are unique to form a trusting relationship. Ultimately, we have to show dignity and respect for each of the staff members in an organization. When we say, for example, "Your business essential function, although it is critical to the organization, its value from a cyber security viewpoint is low." We mean that, if exploited, the impact would be low in terms of the rework, fines, penalties, reputation. That may be in cases because they have paper back up; they may have instituted controls. Still, we make sure that we do not give the impression that, because they have a low BEF impact dollar value, it does not mean that they and their processes are not crucial to the company.

Thanks for that. There are two things about our biggest customer partners that I want to get feedback from you on. Our largest customers are either government agencies or financial services organizations, generally highly regulated.  What do you see with those types of organizations? Where are their most significant risks? How do you convert that thinking of "we’ve got it covered” to “we may need to level up or improve”?

That’s a great question. When you win a mature organization, a very large organization, whether it’s financial, government, or whatever, they have a set of processes and procedures. The ability for a criminal to exploit the vulnerabilities within a financial institution, for example, is limited, because they spend a lot of resources on that. However, where they look is in the supply chain. Who else has access to the network? Who else supplies goods and services to the organization that is the target? The criminals don’t go after the target directly. They work indirectly through the supply chain, for example: who supplies their computers, routers, document management system.

Consequently, if you’re going after a large target, you don’t go directly to the large target. What are the back doors that we can get into? That’s why ImageSource becomes attractive because you are directly touching their systems with your systems. Therefore, your risk is their risk. Your vulnerability is passed on directly to your customers, and your leadership recognizes that. The ImageSource executive team decided that the ImageSource enterprise system would not ever contact a customer enterprise system. The laptops the professional services staff used to connect to the internet that linked back to the image source network would not be used operationally. They would use a standalone set of laptops that never touch anything, and therefore, any compromise that occurred with ImageSource could or could not be passed on to the customer. It’s air-gapped.

I love what you said about endpoint security and third-party product inputs. That makes a lot of sense to me. Thinking more about it from our customer partners' perspective, many of our services are document-centric. There’s a piece of data; let’s call that container of data a document; it could have once been a piece of paper, an XML file, an email— it doesn’t matter. Is there anything specific that you’ve seen about document-centric processes that need attention or introduces additional risk?

We encourage ImageSource to offer a service that would reduce the risk content upfront. So, when an object is brought into an ILINX process, whatever the intake, that at the very first step of the very first entry process, those documents could undergo a risk reduction process. I’m not talking about virus scanning because the virus scanning is, at very best, about 60% effective, and that effectiveness is decreasing. We suggest taking a document and running it through a transformation where a PDF is still a PDF but in an advanced processing set of tools that looks deeply into the document and removes content that indicates potential risk. These are techniques that Microsoft uses very selectively within their stack. ImageSource can include it in their workflow processes for clients who want it.

So, for example, incoming email attachments are stripped off and put into some container. Before they are placed in the container, process the attachments, so the risk content gets reduced by 98%, which is statistically about the effectiveness levels. Customers would be able to have content that they have a great deal of confidence in its integrity within their domain that would be coming at the source.

This document-level security within the ILINX platform would be the same processes working at the CIA and NSA. As part of the ILINX platform, we would recommend a security element that would allow customers to deal with high integrity trusted documents.

Let’s talk more about additional transformation tools on content within your domain. As you know, especially in the last year, solutions have been deployed well outside an organization’s domain. We’ve seen this with one of our largest financial services customers, where they’ve offshored some of their entry-level work. By entry-level, I mean the point when a customer’s personally identifiable information enters their workflow is now in another country, no longer in a very secure physical environment where they’ve managed that security very well. There's a new endpoint that is beyond the reach of their previous skillset. ImageSource has developed technology like Data Loss Prevention (DLP), which puts a layer on top of the document to redact or remove the most personally identifiable information from that endpoint. Are there any other areas where we could be more effective to work with our customers knowing that any possible environment is an office now? Where do you see those solutions evolving in the near term?

The buzzword for that in the industry is zero trust. And that is, if you’re given a piece of software, you have to assume that piece of software has malicious content. Therefore, you cannot trust detection techniques, and you have to use transformation techniques. An analogy is- you’re handling a bacteria that is very contagious. You don’t touch it with your hand. You put it in a big glass box, put your hands in gloves, and then manipulate it that way. That’s the environment that we believe needs to come into practice, which gets back into transforming content. As you redacting documents with DLP, we strongly suggest that you also extract elements of the documents that include properties that the user doesn’t need to see. What are the properties? What is the metadata? For example, getting a bit deeper, do you need to have Java in a PDF? Not all Java is malicious, and not all PDFs need Java, but Java and JavaScript in PDFs are an entry point for bad guys. If you’re going to be putting malware in a PDF, you will be using Java or JavaScript code, so we remove it. We’re not asking if the Java or JavaScript code is malicious; we’re saying it shouldn’t be there.

There are several growing exploits within images, whatever the image format is. It turns out that the simplest way of eliminating that malicious code is by scrambling the color palette. So if you take the color palette and it has 12 different colors. If you make it 8, when you reset that, the code itself has to reset the code, go back, and touch each one of the cells, because it doesn’t have 12 shades, it now has 8 or 12 to 11. It turns out that it is about 100% effective in killing malicious code in the imagery. It’s just simple techniques like this that we call content, disarm and reconstruction that, you know, remove the Java JavaScript from a PDF. People don’t care, right? Converting a doc into a Docx, taking an excel sheet and calling it xlm, running the same sort of things, we can reduce the risk content by 98% by just employing these conversion techniques, and it takes about half a second.

Yes, it makes a lot of sense to me from my technology experience too. Those are areas of a document, where another technology is already doing some analysis. Even the most basic image enhancement technology will look at the color of a document to normalize it, to make it look better, or create a smaller file size. In terms of how we approach document-centric processes and improvements, I also understand the Java part. There are tools in the ILINX suite like Format Converter that facilitate this transformation.

This approach doesn’t affect usability but allows us to reduce the incidence of malware by 60-70%, which is achievable, then they can do more important things. They don’t need to be chasing this stuff, and also it reduces the probability of ransomware, in particular, by orders of magnitude. Therefore they don’t worry about it. The other part that I want to bring up is that we ask to see their incident response plan when we go and do risk assessments. If you do have an incident, what’s your plan? We find that in small and medium-sized companies, the reliance on personal relationships is the number one step in incident response. They pick up the phone and say,” I’m so sorry.” In doing so, admitting culpability, and now here’s a $50 million fine and penalty that might be avoided if your first step was “thank you very much for the notification, I’m calling my lawyer.”

It reminds me of the basic principles of car insurance. Of course, it’s legally required, but generally, you think, “I’m a good driver, I won’t hurt anybody,” but that’s not why you have car insurance.

Exactly correct.

Transformation is a prevalent term in content services. It used to be called enterprise content management. Now it's content services. Focusing on our journey experts in the transformation from image processing, acquiring content from a scanner or externally, and making it valuable data. And then, we start transforming that data into something automated with indexing OCR, RPA, minimizing your interaction with data, driving business processes.

Now layer on top of it another kind of transformation that reduces risk and keeps that content secure, internally and externally. It makes sense for us to bring our customer partners this next level of transformation throughout their solutions.

And that’s exactly the service offering that we want to collaborate on with ImageSource.

 

Published by Thomas Ruoff October 18, 2021
Thomas Ruoff