Shawn Henry serves as chief security officer of CrowdStrike since 2012. Henry joined after retiring from the FBI senior executive service. He founded the company's security practices and its world-renowned incident response and professional services practice.
Prior to joining CrowdStrike, Shawn oversaw half of the FBI’s investigative operations as Executive Assistant Director, including all FBI criminal and cyber investigations worldwide, international operations, and the FBI’s critical incident response to major investigations and disasters. He also managed computer crime investigations spanning the globe, established the National Cyber Investigative Joint Task Force, and received the Presidential Rank Award for Meritorious Executive for his leadership in enhancing the FBI’s cyber capabilities.
Shawn Henry, chief security officer of Crowdstrike and FBI veteran, joins 'Forbes Talks' to share the new tools and risks from AI, hacking and legacy tech.
Prior to joining CrowdStrike, Shawn oversaw half of the FBI’s investigative operations as Executive Assistant Director, including all FBI criminal and cyber investigations worldwide, international operations, and the FBI’s critical incident response to major investigations and disasters. He also managed computer crime investigations spanning the globe, established the National Cyber Investigative Joint Task Force, and received the Presidential Rank Award for Meritorious Executive for his leadership in enhancing the FBI’s cyber capabilities.
Shawn Henry, chief security officer of Crowdstrike and FBI veteran, joins 'Forbes Talks' to share the new tools and risks from AI, hacking and legacy tech.
Category
🤖
TechTranscript
00:00 [Music]
00:03 Hi everybody, I'm Diane Brady. I'm here with Sean Henry, who's Chief Security Officer of the
00:08 cyber security company CrowdStrike. Sean, good to see you. I should mention that you founded the
00:14 security practice and that you retired, I think more than 10 years ago at this point, from the FBI
00:19 where you headed up global cyber investigations as well as global criminal investigations,
00:26 among many other things. So I can't think of a better person to talk to about the threat
00:31 environment right now. I don't know where to start. We've got rogue AI, espionage, you know, ransomware.
00:38 What's on your radar? Well thanks, Diane. I appreciate the opportunity to be here. I've been in this
00:45 space for more than 25 years, both with the FBI and at CrowdStrike. Now almost 12 years, you said 10,
00:51 almost 12. It's incredible how fast it's gone. That's right, 2012, you're right. Yeah, but what's
00:58 amazing is I get a lot of questions often about, from people asking about, you know, what are you
01:04 looking for? What are predictions for next year? And while there certainly are some newer things,
01:11 the reality is so much of what we're seeing is what's been going on for 20 plus years in this
01:17 space. And it's really quite frightening for a lot of reasons. First, because we've not been able to
01:25 get ahead of it and stop it. And in fact, I don't think we're going to be able to stop ever the
01:31 access of networks by adversaries, nation states, organized crime groups, activist groups, because
01:38 the networks continue to get bigger. There's always going to be vulnerabilities in software
01:44 and hardware that will be exploited. And the adversaries are getting so much in return from
01:50 their somewhat limited investment in resources. The ROI is so substantial that they're just
01:58 motivated to continue and we can't physically get to the people that are doing this. So
02:02 this is going on indefinitely. I think that some of the things that we're seeing right now, and
02:07 then I'll follow up, I think, on 2024 and dig into that. Some of the things we're seeing right now
02:13 are just the continued exploitation of legacy technology. And it's companies that have invested
02:19 a lot of money in software and in hardware. They've got relationships with certain vendors and
02:26 they've got a sense of stick-to-itiveness to that. But we're still continuing to see
02:33 the software exploitation that is leading to substantial impact on companies.
02:39 Do you mean phishing?
02:43 It is. Phishing is one way they're exploiting vulnerabilities. I think a lot of the legacy
02:48 architecture that we're seeing, Microsoft is a good example with a number of zero-day
02:54 vulnerabilities that have been attacked just in the last year, over 900 different vulnerabilities
03:02 and 30 different zero-days in 2022, which were exploited by nation states. And I just think it's
03:08 important for organizations to focus on shoring up the vulnerabilities that are inherent in the
03:16 technology they're using if they do continue to use it. I understand in many cases they've
03:20 invested a lot of money and they've got relationships, but it's really important
03:25 that we're not shooting ourselves in the foot, that there's a lot that can be done on the front
03:29 side by companies to help to protect themselves. So, Justice Booth, can I just unpack that for one
03:35 quick second for those who don't know? When you say zero-days, define that for us.
03:39 So, a zero-day is an exploit that is not known by anybody other than the actors. So, an actor has
03:47 found a vulnerability. It's essentially similar to you find a key to somebody's door, but they
03:53 don't know that they lost their keys or they don't know that their lock is broken and the adversary
03:57 is going in and out. They've got the ability to glean all the intelligence, the information,
04:04 the data that's on that network and potentially to disrupt that network. So, it's especially
04:09 crippling for companies because they're just not aware that it's there. In some cases,
04:15 you know, there are known vulnerabilities and then shame on people for not going and fixing them.
04:20 We see that quite a bit as well. But when you've got a zero-day and you've not even had the
04:24 opportunity to fix it, that's a problem. And one other clarification of what you've said so far,
04:30 is Microsoft more prone to this than others? I mean, I just want to clarify the Microsoft reference.
04:37 Well, look, Microsoft is the most ubiquitous software on the planet.
04:43 Sure.
04:43 And around for 35 years, everybody is using Microsoft to one extent or another. And because
04:52 of the breadth and depth of their software, how frequently they're being used and how regularly
04:59 they're being used, just by looking at the numbers, a small percentage of Microsoft equals a large
05:07 percentage of vulnerabilities across the entire threat landscape. So, it's a number of software
05:14 products and then the operating system itself. And then this issue about legacy operating systems,
05:21 there are times when vendors move to another version of an operating system. At some point,
05:28 they stop supporting their old software, meaning they're not putting out patches anymore if there
05:33 are identified vulnerabilities. And companies that have invested money and they don't want to
05:38 reinvest in newer software or newer technology, understandably, it's a big expense. But what
05:44 they're doing is leaving themselves quite vulnerable because the vendors no longer supporting it.
05:51 They're not going to help fix it. And at some point, it's going to be exploited. One of the
05:56 things the adversaries do, Diane, they've got crawlers essentially that are constantly in an
06:03 automated way searching for vulnerabilities on the network. And they know what versions of software
06:09 are vulnerable. They have the exploits that they're able to use to get through that, bypass
06:17 that vulnerability. So, they're constantly searching in our automated way. So, where many
06:21 times we see companies that are targeted specifically because of who they are. For example,
06:27 we know that China is interested in energy or China is interested in high tech.
06:32 Specifically targeting those types of companies. But using these search protocols and these
06:39 automated vulnerability finders, you might just be a victim because of the software you're running
06:47 where an organized crime group is looking to deploy ransomware. So, companies need to understand
06:52 that while they might not be targeted specifically, they absolutely can be the victim of an
06:58 opportunistic attack. You mentioned automation, of course, with automation, it sort of pivots over
07:05 to the new tools we have. And I think less about prevention and more about containment perhaps,
07:10 or flagging alerts. How has AI changed the picture on both fronts, the attacked and the attackers?
07:20 Yeah, great question. So, first of all, we've been using AI for more than a decade at CrowdStrike,
07:29 and I'll talk about that in a minute. I think that for the average person, the concept of AI
07:37 is really brought about because of the recent proliferation of generative AI, where the average
07:45 person can go and make a query, ask a very structured question and get a pretty complex
07:51 response back that would take hours or days to do the research to pull it together. And generative AI
07:58 is helping to automate that and to make it much, much faster. But the use of AI, essentially,
08:04 the ability to go through large swaths of data has been around for a long time. We've used it
08:10 because we use it to identify anomalous activity in behavior patterns of people. So, for example,
08:19 if we know that a particular user logs in Monday to Friday, nine to five, and these are the type of
08:27 tasks or applications that they're typically using, that's expected behavior. But if we see somebody
08:34 who is now logging in at 2am on a Saturday morning, and they're going to applications
08:41 they've never touched before, or they're taking, they're elevating their access,
08:49 this is unexpected behavior, anomalous behavior, and it would indicate that there's a problem
08:54 there. So AI essentially is used to look at large swaths of data over a very compressed time. And
09:02 for a defender, it's of great value. Unfortunately, we're seeing adversaries that are able to use
09:10 generative AI to craft malware, and people who are less sophisticated than some of the actors
09:17 that we've seen over the last decade or so, that are able to get into the hacking game, because
09:25 AI has provided them as a tool, the ability to augment their skill set, their limited skill set.
09:33 So more amateurs getting into the system, what would be the net result?
09:39 Well, more bad people trying to access your system. You know, when you look at,
09:46 as a security professional, you're trying to defend networks, you need to know who the
09:51 adversaries are, what are the vulnerabilities you're going to exploit, what's the impact
09:55 that you're going to have? Those are some of the considerations you make when you try to
09:59 identify risk to your enterprise. If you've got more actors that are getting involved,
10:05 and they're looking at vulnerabilities, perhaps different than the type of vulnerabilities that
10:10 a nation state might look at, it's just an added risk into your environment. Tie that to,
10:16 you know, you mentioned phishing earlier, it's still, it's a relatively easy type of an attack,
10:24 but it's still one of the most significant types of attacks that we see because it still works.
10:29 Yeah. So using AI, adversaries can craft very believable emails. I think historically,
10:38 one of the things security professionals would say is when you're looking at an email,
10:44 you know, look for bad spelling or poor grammar. The email address.
10:50 Yeah, well, the email address is certainly one of the areas, but the crafting of the message
10:55 itself, because oftentimes non-native English speakers are utilizing email to launch their
11:03 malware. Well, now you can have people who don't speak English well or at all, and they're able to
11:09 craft a message that looks like it's been prepared by a native speaker. So it's just become much more
11:17 believable and much more of a concern, I think, because of the capabilities of AI and new people
11:23 getting into the space because they recognize they can make a lot of money. So, Sean, I want to ask
11:28 about the external versus internal. I mean that on a country border point of view. We often hear
11:36 about, you know, hackers that are somewhere in Eastern Europe, somewhere in Russia, somewhere in
11:41 China. Do you have any sense as to how many of the threats are coming from outside the U.S.
11:48 versus inside? I don't even know if it frankly makes a difference, but I am curious if you've
11:54 noticed any change in that respect. Well, it does make a difference.
11:59 It makes a difference because the actors are going to continue to come after the networks until
12:08 they're physically stopped. And when you've got actors that are operating outside the confines
12:17 of the U.S. from a nation like Russia, China, Iran, North Korea, the U.S. government is not
12:26 going to have the capability to actually stop those people from launching these attacks because
12:31 they're protected from the government. We don't have extradition treaties. Supported by the
12:34 government sometimes too, obviously, right? Sorry? So oftentimes supported by the four that you
12:41 mentioned. 100 percent. They're in oftentimes they it is the government of the other nation.
12:47 And of course, they're not going to they're not going to hand over members of their own
12:50 intelligence community from a from a defensive perspective. I don't know that it matters
12:56 because the attack is the attack. It's important, I think, for network defenders to understand who's
13:02 attacking them, because you might identify certain tactics or procedures that they're using.
13:07 It might help you better detect the adversary. It might help you looking forward. It might allow
13:14 you to be more proactive to find an adversary before they launch an attack if you know who
13:19 they are. And oftentimes that's associated with their geolocation. You know, if it's a Russian
13:24 actor, a Chinese actor, they're typically going after different types of things within the
13:28 environment. They have different intelligence requirements that are guiding them on the
13:34 networks to target and the intelligence or the data on that network to target. So in terms of
13:39 percentages, I think that the majority of what we're seeing is still external actors, but there
13:46 certainly are actors domestically inside the United States, organized crime groups and others that are
13:52 that are targeting companies for a large financial gain through ransomware and extortion and other
13:59 types of economic attacks. Do you think as we head into an election year, are we better prepared to
14:05 handle any sort of digital espionage in essence or attacks in terms of the elections that will
14:14 be taking place? I think we're better off in that we know about it. I think that, you know,
14:24 the companies and individuals are aware of it. I still think that networks are vulnerable and the
14:31 system itself is potentially vulnerable because of how it's how it's structured. I also believe
14:38 that on the heels of 2016 and to a lesser extent 2020, that there are more adversary groups that
14:48 are aware of the impact of those prior attacks. And again, you know, the more people that you get
14:55 into the space, the more actors that are trying to get through your front door or climb up through a
15:01 window, the bigger opportunity there is for a vulnerability to be exploited and to have some
15:08 type of an impact. So, you know, the the electoral process, the election system in the U.S. is widely
15:16 dispersed and there are a lot of different parts of the system. It's not centralized. So there are
15:21 a lot of different parts of the system that can be targeted, whether it be the election rolls,
15:28 you know, the registrants. Maybe it's it's where data is collected. Maybe it's in the reporting
15:35 process. Maybe it's targeting the media that's reporting something so that it impacts people.
15:42 And then on the front side of the election process, this whole concept of misinformation
15:48 and disinformation, where we know for a fact that nation states are putting out information
15:54 in the United States specifically to create chaos, to sow division, to cause people to question
16:02 their fellow Americans, to create this divisiveness and to put out information
16:08 about certain candidates. And I think when you you know, we go back to the A.I. question and
16:13 the ability to manipulate data, the ability to manipulate audio and video. I think that that
16:20 is going to be used as part of the seeding of social media in advance of the election to try
16:28 and persuade people to vote one way or the other. The last thing I'll mention, Diane, because I
16:33 think it's really important as it relates to the elections. Twenty twenty four, there are going to
16:37 be dozens of elections around the world in democracies. And the U.S. is not the only nation
16:43 being targeted. We know that the election systems have been targeted previously in France and in
16:49 Germany, in Israel. Those nations have come forward and talked about it. Germany, another one,
16:56 they've been public with their intelligence services have identified. And when I think about
17:02 you know, I mentioned the big four actors, Russia, China, Iran, North Korea, while the United States
17:08 is certainly in their crosshairs as likely their biggest adversary, certainly not the only one.
17:16 They're not the only one. Let me I know we have to sum up, but let me ask you another few very
17:23 quick questions. One is if I were to hand you a wand, Sean, and you could wave it, what would
17:29 you change in that respect to actually make societies less vulnerable to these actors right
17:36 now? Obviously, public education, our fact we're discussing it now. But is there anything,
17:40 any levers that could be pulled that are not being at the moment?
17:45 Well, there are there are certainly quite a few. And it would be a comprehensive process. There's
17:55 no single point of failure. There's it's a whole continuum. I would say it would start with
18:01 certainly the awareness level. You mentioned education. That's critically important.
18:05 And then next to that is this whole piece about shoring up your infrastructure internally. So
18:11 you should have the best technology because the most current technology is going to be less
18:18 vulnerable to attackers. You need to have the right security technology in place that helps you
18:24 identify this anomalous behavior. That's critically important. You have to have the right processes
18:31 and policies and you have to have the right leadership in the company where not only do
18:36 they recognize this as an issue, that this is a risk, but they're willing to invest time and
18:40 energy and money to protect their assets and to protect their their customers, their data,
18:45 their employees. That's that's really, really important. And then I guess, you know, I go back
18:52 to this concept of actors that are operating in a place where they can't be touched. So they operate
18:58 with impunity and it goes on indefinitely. I think that there is going to have to be a much more
19:05 direct and specific conversation, nation state to nation state about what's acceptable and what's
19:11 not and and what the consequences are if you cross one of those red lines. You know, we've seen
19:18 adversaries targeting critical infrastructure like water and electric power. And, you know,
19:24 in the physical world, in the kinetic world, there are certain requirements and certain
19:30 processes for assuring those things don't get targeted. I think you have to see the same thing
19:35 in the digital world. Yeah. Well, I look forward to continuing the conversation. Thank you for
19:40 raising our awareness of some of the issues. Obviously, many more to come and appreciate
19:47 your time. Look forward to speaking to you in the new year. Thanks, Diane. I really appreciate it.
19:51 Safe and happy new year to you. Thank you.
19:54 you
19:55 Transcribed by https://otter.ai