[00:00:36] Camille Morhardt: Welcome to today’s show, Cyber Security Inside What That Means. We’re going to talk about incident response and remediation communications. We’ve got with us Jerry Bryant and Crob, both directors within the Communications Group within the Intel’s Security Center of Excellence. Welcome guys.
[00:00:56] Jerry Bryant: Hey Camille.
[00:00:57] Crob: Great to be here.
[00:00:58] Camille Morhardt: It is really great to have you here partially because I am Vanna White-ing merch from, uh, these gentleman’s podcast. They have a podcast called Chips and Salsa. And we’ll talk a little bit about that, too. Um, but first of all, let’s get started by understanding, you know, what is incident response and remediation communications.
[00:01:20] Crob: You want to start off Jerry, and then I’ll fill in.
[00:01:21] Jerry Bryant: I’ll start off. Sure. Every technology company has to deal with the product vulnerabilities. Sometimes they become an incident if they’re publicly disclosed by an external researcher or somehow it’s leaked out there or found being used in some sort of an attack against customers. That’s an incident that, uh, we respond to.
So we develop a communications plan, which involves a whole process of understanding the issue, understanding where we are with a potential mitigation. What other things do our customers need to know? And then putting out those communications with the clear goal of providing actionable information for customers.
[00:02:08] Crob: It’s a lot of orchestration and coordination amongst just the industry and our customers to make sure that as problems are found, they’re able to quickly get addressed and corrected to minimize the risk that an end user would have.
[00:02:22] Camille Morhardt: So we had a conversation with, uh, Lisa Bradley of Dell she’s in the PSIRT team there. And I’m wondering if you guys can explain how you work with the PSIRT team or PSIRT starts actually taking in reports of vulnerabilities and then triaging them, and then working with engineering across the company to come up with mitigations, updates, et cetera. So how does the communications team work with that group?
[00:02:48] Jerry Bryant: That’s a good question, cause I always refer to ourselves as the communications arm of the PSIRT. You know, PSIRT drives the vulnerability management process from intake to triage, to mitigation, to disclosure. It’s our job, as we get towards the public disclosure of that, to develop the strategy and the comms to go with that issue.
So again, what the customers need to know, where’s the mitigation? They should look at their risk factors, you know, things like that. So that’s the kind of stuff we try to manage as we get to that public disclosure phase.
[00:03:29] Crob: And we’re also consultants with the PSIRT. As they have reports, we help provide feedback on that comm strategy Jerry talked about. We think about what types of impacts could happen if it gets out in the media too soon, or the types of questions customers or partners might ask about the particular problem.
So we’re really consultants. They’re a sister team. And like Jerry said, we, we provide that service of communications for them to try to help make sure things run smoothly and everyone’s clearly informed.
[00:04:03] Jerry Bryant: There’s definitely a lot of, uh, risk analysis involved. You know, if it’s an external researcher, what’s their history like, you know, when they report an issue? You know, what can we expect from them? Do they like to develop some sort of a brand name for the vulnerability they discovered or whatever? That all kind of informs us as the communications guys or gals to develop the right strategy–sometimes proactively–cause we, you know, we know there’s enough triggers that this thing is going to maybe end up being a, a media story. And that generally causes a lot of customer questions to come in. And so we proactively prepare for that stuff ahead of time. Given what those triggers are that we see that may come to fruition.
[00:04:51] Crob: And some issues are very complex and they require some more in-depth conversation about how to mitigate it or what the issue is. And a lot of times the PSIRT team or a product engineering team, that’s focused on developing the solution, trying to get that thing fixed, and then not necessarily understanding that this is a really hard problem. And somebody that’s going to implement this fix might need to take additional steps. We provide that feedback and help get them the appropriate level of artifacts to kind of share that information.
[00:05:22] Camille Morhardt: And I’ve heard the term coordinated vulnerability disclosure, which sounds very fancy. And I’m wondering, what is that? and why does that have to exist? Why can’t a company just be completely transparent with the public from the very beginning of understanding there’s an issue?
[00:05:40] Jerry Bryant: Uh, that’s a deeply rooted question (laughs). But back in the early 2000s, it used to be called responsible disclosure. And of course the security research community took offense to that because you know, a lot of people rightfully so believe that they find something, they should be able to disclose it.
But the idea behind coordinated vulnerability disclosure is that the researcher who found the issue works with the vendor whose code the issue is in to get a mitigation in place and distributed to their end customers before you publicly disclose the details of the vulnerability; that way the ecosystem has a chance to develop effects and get it deployed, you know, before those details are out and can then be used in potential exploits.
[00:06:34] Crob: And it’s really making sure that everybody that’s involved in that disclosure, uh, downstream suppliers that everybody’s prepared and ready so that when that goes public, that the end user that’s using this hardware or software has the smallest window of risk; they have access to the fixes as quickly as possible when it goes public so that their opportunity to get exploited is greatly reduced.
You do that by kind of orchestrating, you know, talking through everybody that needs to be informed so that they can be prepared when the starting gun goes off.
[00:07:08] Jerry Bryant: So, yeah. And so CVD was the, uh, the terminology developed with inputs from the industry that was innocuous and neutral in tone; it didn’t point fingers. It’s characteristic of vulnerability management that we’re going to coordinate from one end to the other to help keep the ecosystem more secure.
[00:07:31] Camille Morhardt: Uh, nobody’s necessarily in charge. I mean, everybody might have, or multiple people, multiple parties might have the information and could disclose at any moment, but they’re agreeing to work together to kind of roll it out in concert with a mitigation or an update?
[00:07:48] Jerry Bryant: Yeah. Um, you know, for example, uh, you know, Intel runs several bug bounties. Researchers find a vulnerability, they could submit it to our bug bounty and depending on the severity of the issue, they can get some money from our bounty program. But the terms they agree to are that they will follow coordinated vulnerability disclosure with us, right?
[00:08:11] Crob: And it’s all about managing and reducing risks and these researchers they are doing this investigation because they legitimately want to make things better. And when they go through programs like a bug bounty or a VDP–vulnerability disclosure program–that a vendor might have, you know, they, they are doing that because they want to make that particular product better and they want to help protect that community of users.
[00:08:35] Camille Morhardt: So let’s, I want to talk about the product security report. This is something that is relatively new put out by Intel. Can you describe what it is and why it started?
[00:8:48] Jerry Bryant: Sure. So I started at Intel in 2019, and at the end of that calendar year is, when I created the first product security report and the reason behind it was more to show the investment that Intel makes in product security assurance. When you think about vulnerabilities, you know, there’s often comparisons out there between companies and how many vulnerabilities they have in their products. So we were seeing where there’s news stories comparing us with one of our close competitors and “wow, you know, Intel has 235 vulnerabilities and they addressed in 2019 and their competitor only has 8.”
But when you start to look at the numbers, you find that, “oh wow, 60% of the vulnerabilities that Intel addressed, they found themselves through their own internal research” and “oh wow, their competitor doesn’t report anything they find internally.” So there’s this commitment to transparency that we have through our Security First pledge, which drives us to publish the information about stuff we find internally, therefore our customers can make a more accurate risk assessment.
So there’s all this about the investment that we make. We try to include information there on what Intel employees are doing out in the ecosystem to better the state of security. You know, ISO standards, uh, help me out Crob…
[00:10:25] Crob: like, uh, participation in industry groups like FIRST or Open SSF or other things.
[00:10:31] Jerry Bryant: I mean, we have people out there contributing to building new standards in hardware debug security, and everywhere we look, we don’t see our competitors. You know, we just had these announcements coming out of Vision, you know, around open source. So our CEO Pat Gelsinger has an open letter to the Open community, pledging, you know, the Intel is going to support open source initiatives.
A stat came out also that over the last five years, you know, Intel has invested over $250 million in open source security. And on Chips and Salsa we’re doing a video series right now on open source security and the individuals within Intel that are doing things like building Linux kernel fuzzers and open sourcing, those fuzzers and all the scripts that we do.
I mean, it’s incredible as we dig into it and uncover more and more. It’s incredible how many people at Intel are actively engaged out there trying to build better standards, you know, improve standards, and make the ecosystem safer place.
[00:11:42] Crob: It’s interesting to think about these common good type efforts that we participate in that benefit the whole global community. It’s pretty amazing.
[00:11:52] Camille Morhardt: So you guys brought up Chips and Salsa. I have my, my packet right here with me, ready for a little morning snack (laughs). So, um, talk about that. You guys started a podcast together and it’s very cool. It’s very informative. You go deep with Intel experts and really talk with them about some of the very specific things that they’re working on. And I think you uncover things that are not well-known, frankly.
And so I wonder if you could talk a little bit about what was surprising to you when you started digging in and talking with experts within the company.
[00:12:34] Crob: Uh, I’m a relatively newbie to the organization, and it’s just amazing to think about the depth and breadth of talent and efforts that our folks are doing on so many different levels. And we’ve interviewed folks about our, uh, long-term retention hub down in Costa Rica. And that was an amazing project that allows us to have this huge back catalog of products that we’re testing out new features or new patches or security vulnerability fixes, we have the ability to test back through ten years of our products, which is a capability that didn’t exist.
And it’s just interesting to kind of continually be reminded of the raw talent of some of these folks and the interesting things they’re doing. Like we talked with Jason Fung, who is contributing to some upstream efforts for a program called CWE, common weakness enumeration. It’s a vulnerability thing where that’s describing kind of the root cause of a software/hardware problem.
Oh, he was he in orchestrating getting the creation of hardware CWEs so that the help kind of explain problems in hardware, which has, you know, it was brand new and it’s just a constantly, we’re not stumbling, but we’re being introduced to people that you work with every day, you’re in meetings all the time with, and to kind of understand the portfolio and the breadth of what they’re bringing to the community and the company it’s amazing.
[00:13:54] Camille Morhardt: You know, we may be familiar with common weakness enumeration. Um, in fact, we did do a podcast where Katie Noble described that for us. I think it’s called Risk Management, Risk and Vulnerability Management, Risk Mitigation and Vulnerability Management. But you know, to, to then discover that somebody that, you know, you sit next to you or you virtually sit next to actually was instrumental in adding the hardware portion of that to the entire industry. It’s very cool.
You know, that’s a kind of thing that I think that I’ve discovered listening to your podcast. It’s like, oh, I just assumed, you know, either that always existed or that it was sort of created not by the very person sitting next to me that, you know, I am now and then to ask a simple question, right? (laughs)
[00:14:42] Jerry Bryant: Yeah, I think one of the takeaways customers should have, if they go through and watch Chips and Salsa videos—
[00:14:52] Crob: And they should.
[00:14:53] Jerry Bryant: It’s the focus of Intel employees outside of Intel. More than any other company I’ve ever worked for Intel is broadly out. So it’s just in strange places too. So, uh, the first Chips and Salsa episode we did was with the Enrique Carrero. And he’s out working in the debug standards groups, but specifically driving debug standards for security, you know, trying to build new norms and in, uh, uh, Oh, what the heck do you call them… standards. You know, and how, you know, debugging is done on computers in a secure manner, never would have guessed that, you know, we have this guy at Intel, that’s extremely passionate about this and loves working with these groups and driving these new standards. And again, our competitors aren’t even involved.
[00:15:52] Crob: When you’re interviewing someone and most people are humble folks; they don’t like to talk and seem like they’re bragging. But you know, some of the amazing things these folks do, and I, I really have enjoyed, uh, capturing that content and being able to draw that out of the folks we’re talking with and to highlight something that they might’ve thought, “oh, this is just something that I do in my spare time.” And then realize the impact of this. So I’ve, I’ve really enjoyed that about the podcast. Like it’s always fun. Watching people have dogs fight in the background or kids run around without diapers.
[00:16:29] Camille Morhardt: Are you going to keep it virtual?
[00:16:31] Crob: We’re thinking that potentially traveling to some conferences if the world gets a little better and going out and doing some live interviews with conference speakers, maybe some security researchers. I think that brings a whole set of interesting challenges and are going remote/mobile.
[00:16:48] Camille Morhardt: There you have it. Chips and Salsa’s Jerry Bryant and Crob from Intel’s Communications Group. Also talking about their podcast. Really good to have you guys on the call.
[00:16:58] Crob: Thank you, Camille.
[00:17:01] Jerry Bryant: Yeah, thanks Camille. And next you’re going to be on Chips and Salsa.
[00:18:28] Camille Morhardt: Woohoo! I have to find a different t-shirt or maybe I’ll keep, maybe I’ll keep it for flow (all laugh).