In Wake Of Data Breach, Bit9's New CSO Is Shoring Up Security Defenses
Bit9 Chief Security Officer Nick Levay has been at the job for only three months, but he told CRN that he already has added staff and is executing against a priority list to bolster security procedures and infrastructure at the whitelisting vendor.
Levay, who joined Waltham, Mass.-based Bit9 in June, served six years at the Center for American Progress, a Washington, D.C., think tank, where he was director of technical operations and information security. Levay said that organization was targeted daily by sophisticated attacks, putting him in a good position to address security operations at Bit9, which suffered a high-profile data breach.
"I have a lot of initiatives and projects under way," Levay told CRN. "There is a mixture of maturing our infrastructure, building out the way our [security operations center] operates and maturing procedures for handling things. It's a lot of stuff."
The whitelisting vendor revealed the data breach in February. The firm provided details about the breach, which began with a SQL injection attack, a common Web-based attack that targets the back-end system that services company websites. The company said once attackers got in, they were able to install a back door and, due to an "operational deficiency," the malware was able to execute because the company's whitelisting software wasn't installed on some systems.
The breach struck at the heart of the company's intellectual property, giving attackers access to digital code-signing certificates. They then used the certificates to target Bit9 customers. In the hands of attackers, the code-signing certificates enabled malware to execute on systems protected by the vendor's whitelisting software. At least three firms were attacked using the stolen certificates before Bit9 revoked them. The company reportedly released details to antivirus vendors regarding more than two dozen malware types created using the stolen certificates.
Levay declined to discuss specifics but said much of the work he is overseeing was prompted by the data breach. "I'm really building out best practices in how we run our [security operations center] and we handle our operations," he said.
"Before I even got here, a lot of very good actions were taken in the wake of the breach to ensure that the types of deficiencies that led to the breach would not occur again," Levay said. "There is a degree of which that I have been taking what has already been started, maturing it and taking the additional steps."
NEXT: Levay Says Center For American Progress Under Constant 'Onslaught'
Levay promises to talk at length publicly about his work at Bit9 "farther down the road." Until then, he said he was hiring additional security staff and streamlining some processes to gain control and oversight over operations.
"The security within Bit9 is something that is taken very seriously across the board coming from the executive management level all the way down," Levay said. "We are really maturing how we approach everything and taking a fresh look at how we approach everything."
Levay said his work at the Center for American Progress involved addressing an environment under constant attack. User awareness training was critical because employees in various roles from workers in the national security group or researchers on foreign policy, climate or trade, were likely to be targeted by spearphishing attacks, particularly from state actors, Levay said.
"We were under constant attack and onslaught," Levay said. "Not a week went by where there wasn't another attack that we were monitoring."
In 2009 the Center for American Progress reported that it suffered a data breach following a sophisticated attack on its systems. In a breach notification letter (.PDF) sent to the Maryland Attorney General's office, the organization said the names and Social Security numbers of current and former employees were exposed. The attackers impacted both the Center for American Progress and its Action Fund.
Levay said he was lucky enough to find two or three respected people within the organization who took security seriously and within a year, a strong security culture had been instilled within the organization. If employees had any doubt about the validity of email content, they would send it to the IT staff for analysis.
"If you are lucky enough to get one of those situations that's the kind of thing that can push an awareness program over the line," Levay said. "You have to find champions within the organization."
PUBLISHED AUG. 22, 2013