The Gately Report: TD Synnex CISO on Protecting the World's Largest Distributor
Apria Healthcare takes years to report massive data breach.
![td synnex ciso td synnex ciso](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/bltc6e875c758e61a55/6523f8ab3817f65249800c6c/Protecting-TD-Synnex-scaled.jpg?width=700&auto=webp&quality=80&disable=upscale)
Shutterstock/archetype
Channel Futures: Is TD Synnex constantly dealing with cyber threats? What types of threats are you seeing?
Dan Lasher: The answer is yes. Any company our size has threats. I wouldn’t say that our threats are any different than any other enterprise global entity, but we have regional threats and a couple that are global in nature. But we have people that look at our organization for the type of products we have in warehouses and there’s certain threats to try to steal product. And then we sell a lot of virtual capabilities, compute in the cloud, and there’s threats to be able to break into that in order to spin up workloads to do crypto mining. We see those type of threats. We see social engineering just to be able to break in and do wire transfer-type attacks. But it’s the same type of attack posture and threats that most companies would experience. I wouldn’t say there’s anything unique because we’re a distributor other than we are hyper sensitive to supply chain attacks because, frankly, if somebody was able to get ahold of a distributor based on our vast reach with APIs and machine-to-machine processing, we’ve got to make sure that we’re fortified so that somebody can’t pivot to one of our largest resellers or vendors.
CF: Is TD Synnex targeted just because of its size and prominence?
DL: Certainly as we get bigger, the answer is yes although not recently. Years ago, we got on the radar screen with a hacktivist, which is a certain type of threat adversary. And hacktivists are some of the worst organizations to deal with because most hacking organizations that are based on just monetary gains, there’s a cost-benefit analysis. They expend money and time to break in, and if it doesn’t pan out, they move on. A hacktivist is based on an emotional platform. And we caught the attention of a hacktivist group that just hated big companies. And they never went away because it was an emotional thing. And as time passed, we became bigger and bigger, and they eventually went away. But a hacktivist or a nation-state threat actor are probably some of the worst types of adversaries any company would ever want to face down. And that’s just because they’re so persistent.
CF: If an attack succeeds, would it not only be a threat to TD Synnex, but also its partners and customers?
DL: There are some scenarios that an attack on us could put a hacker at closer reach with one of our partners. We do a number of things besides just selling product. We provide services. We provide a number of back-office functions. And those are highly tailored to a lot of relationships. And we do go through a fair degree of effort to understand the attack vectors and motivations, and to make sure that we’re taking appropriate measures to safeguard those business relationships. But there’s certain scenarios that are more concerning than others, but we do a fair degree of proactive research and design, and then we have a professional team of hackers ourselves that we just pressure-test everything. Our red team is a group of ethical hackers that are constantly trying to break into our environment and trying to use the same techniques that hackers use. They’ve often written in their own malware software to see if it can slip past some of the most common and advanced malware protection vendors that we use within our environment. They’re a very progressive group that we use to really validate just truly how well our systems and our processes are working.
CF: Has TD Synnex ever been hacked? If not, what’s keeping it protected?
DL: You’ll notice there was a 10-Q filing so we did have an incident. It resulted in no harm, but to be transparent to our shareholders we did share some details related to an incident. And it was related to pre-merger legacy Synnex. It had a threat actor that had gained access to some systems. No confidential data was ever gained. Access to the situation was dealt with. That same threat actor returned after the merger and got into a similar system. We focused our attention with some third-party specialty firms to really dig in to the details behind it. We did a lot of root-cause analysis and used it to make other investments to fortify ourselves. And I would say that threat actor was very advanced and specialized in a lot of evasive techniques. Most of our security incidents are run of the mill. Somebody has a notebook stolen out of the back of their vehicle. We’ll treat that as a security incident. And we run a number of mitigating controls such as hard drive encryption to make that device loss a non-relevant point. There’s nothing that somebody can retrieve off that device. And we get a number of social engineering attacks with people attempting wire transfers and things like that. We’ve gotten a number of messages trying to impersonate executives, trying to trick people into buying Apple gift cards, just the run-of-the-mill common stuff that any customer would see. We certainly get plenty of noise, but none of that results really in any kind of compromise.
CF: Do you know who the threat actor was and their motivation? Was that threat actor someone other than the hacktivist?
DL: This is what I would describe as a nation-state threat actor. I’d rather not reference the name because it’s still being investigated by the authorities and they don’t want us to compromise their investigation. But we know who the actor was. We know their techniques. It wasn’t limited just to our organization. This same hacking group went after other players in the channel. Their motives were espionage, just gaining political insight into our supply chain. Their goal was not to hurt or cripple our system availability. They weren’t even really interested in the data that we possess. It really was just to gain insight into who the key players were in the supply chain. But with that said, as we investigated, there was no data confidentiality that was breached. But it’s certainly uncomfortable having unauthorized people accessing a system. So that was addressed and we’re fairly confident that we’ve done all the right measures to keep them away. But we do occasionally see them trying to reacquire access to our systems. And as we communicate with others within our industry, others are sharing the same feedback that the threat actor hasn’t gone away.
CF: What’s your strategy as TD Synnex’s CISO? Has it evolved?
DL: I would say our strategy has been fairly consistent. Certainly the merger is exciting and we’re focused on unlocking the vast potential of the two companies coming together. And you might think well, how does security get into the realm of unlocking that potential? As the two companies have merged, there’s vast capabilities between both organizations. As they fuse together, we want to leverage technological capabilities and bring two vast networks together. It’s complex, and there’s a number of security tasks required to bring that connectivity in. So our strategy is to tap into that potential. We’ve got a very robust roadmap to federate things and make things as unified as possible. And then also there’s a huge opportunity through combining the two companies to achieve synergy savings, where we get to compress contracts and share technological capabilities, and that squeezes out cost, which we’re able to then extend as savings to our own customer base. So there’s a number of things related to the merger. Outside of that, we’ve got a robust roadmap related to the company’s focus on digital innovation. And as we’re making various advances in our cloud capabilities, my security team is focused on making sure that those capabilities are secured. And then outside of that, just because the world evolves around us, we’re keeping up to date on some technological advances that help us be more efficient. And to be one step ahead of the advanced threats, artificial intelligence (AI) and machine learning (ML) in the hands of hackers is kind of scary. But also, we’re using very similar technologies to defend ourselves.
CF: Did bringing the two companies together create holes in security? Was one company’s security stronger than the other?
DL: I would say they were fairly similar. There were certainly different areas of strength between the two organizations, but both organizations were highly successful as they came into this merger. There certainly were a few areas that one company maybe was better than the other. We have the benefit as we combine to do the best of, and we view that from a people, process and technology standpoint. Fusing together, we got the benefit of two great organizations with slightly different playbooks. So we went through document by document, control by control, and said where are we performing the best between the two companies. And then we saw the best of and we’re really happy with where it landed. But the two companies certainly had some differences, but they were pretty close.
CF: What do you find most dangerous about the current threat landscape?
DL: For the threat actors we’re seeing, I would say not much has changed other than maybe we’re seeing threat actors through our various threat intelligence services that we subscribe to. This is not something that we experience directly, but we’re starting to see more attacks that hackers are living off the land in order to evade detection rather than hackers uploading their own hacking tool kits, which would be a tripwire for a lot of companies to react to. It seems like hackers are getting better at doing covert action and using tools that already exist within a company. We’re seeing hackers be a bit more covert and clever, and thoughtful with how they break in. They’re doing more of the long game. Years ago, if a hacker was going to break in, it was pretty quick from point of entry to when they were doing something that might be visible. The trend now is low and slow, stay under the wire and don’t be detected. And that certainly makes it harder to pick data points out of various monitoring solutions to detect that nefarious activity. So to combat that, we have technology that does a lot of baselining of normal user behavior. And then we focus on the abnormal, the atypical things that people never have done before that pop up on the radar screen. And it’s some of the techniques that we’ve used to catch our red team who use these same living-off-the-land techniques. But we run a number of ML-type technologies that really studies human behavior to say hey, something’s happened, that’s really atypical for this user to be doing.
CF: What would be your advice to other CISOs? Is your job particularly stressful?
DL: I might be the odd type, but actually it’s thrilling. Certainly there’s the common question of what keeps me awake at night. I actually sleep pretty well. And it’s not because we don’t face threats. I have assembled a fantastic team and I know that they have drilled, we’ve practiced, we’ve pressure-tested the team, and I’m confident in their ability to execute. So I actually sleep pretty well. With that said, I think the thing that probably keeps most people up at night is what they don’t know. The area that could bite them that they just haven’t thought of or prepared before. It’s one of the reasons why we run so aggressively with our red team, just to kick the tires and see if they can do something that we never anticipated. And I do meet with a number of CISOs across different industries to do best practice sharing and to share horror stories. The focus is again for us to learn from one another. And I would say we’re pretty well positioned, but every month there is something that’s brought to the table that frankly is kind of a surprise at how creative and how much ingenuity these hackers have. But somebody will share a technique and we’re like we never thought of that one or are we prepared. And then we’ll simulate it. But the threat landscape is pretty broad and the hackers are very motivated, and clearly it’s profitable for them to continue. But as I talk to other CISOs, for those that plan, prepare and pressure-test their environments, I think everybody’s in pretty good shape.
In other cybersecurity news …
The city of Augusta, Georgia, said its most recent IT system outage was caused by unauthorized access to its system.
According to Bleeping Computer, the city hasn’t disclosed the nature of the cyberattack. However, the BlackByte ransomware gang has published Augusta as one of its victims.
The office of the mayor released this latest statement:
“Augusta’s IT department continues to work diligently to investigate the incident, to confirm its impact on our systems, and to restore full functionality to our systems as soon as possible. We continue to investigate what, if any, sensitive data may have been impacted or accessed.”
The mayor did say recent media reports regarding Augusta being held hostage for $50 million in a ransomware attack are incorrect.
Paul Bischoff, consumer privacy advocate at Comparitech, said although the $50 million figure might not be accurate, “you can bet that BlackByte is demanding a ransom, and it’s likely in the millions of dollars.”
“Ransom amounts for government organizations in the United States range from $1,000 to $5 million, according to our analysis,” he said. “Georgia is the second-most targeted state for ransomware attacks after Texas. Prior to this incident, Georgia suffered 25 ransomware attacks on government organizations, affecting 24 million people since 2018. Two big questions remain. Was any of the affected data exfiltrated before it was encrypted? And will Augusta pay the ransom? If the attackers managed not just to encrypt data, but also steal it, then they could attempt to extort Augusta twice: once for the decryption key to restore Augusta’s systems, and again to ensure the stolen data is not sold to other cybercriminals.”
Chris Hauk, consumer privacy champion at Pixel Privacy, said since the targeted systems belonged to a city government, “there is a good chance that information about the city’s citizens were stored on the government [system], including billing information, which could include banking and credit card info, which may have been used to pay property taxes and other city fees and fines.”
“Augusta citizens will therefore want to stay alert for phishing attempts from bad guys claiming to be official communication from the city government,” he said.
Apria Healthcare, a U.S. provider of home medical equipment delivery and clinical support, has reported a data breach potentially impacting nearly 2 million patients and employees.
It recently notified the patients and employees that their personal and financial data may have been accessed by hackers who breached the company’s networks between April 5 and May 7 of 2019, and then a second time from August 27 to October 10, 2021.
It’s unclear why Apria has sent letters about the incident two years later.
Information potentially accessed may have included personal, medical, health insurance or financial information such as bank account and credit card numbers in combination with security codes, access codes, passwords and account PINs.
A data breach notification filed with the Maine Attorney General’s office confirms the breach and number of people potentially impacted by it.
According to an alert on Apria’s website, the company took immediate action, including working with the FBI and hiring a reputable forensic investigation team to investigate.
Willy Leichter, vice president of marketing at Cyware, said this is “another example of the fundamental flaws in our breach notification system.”
“Learning that your personal data was breached two years ago is practically useless, and all the free credit reporting in the world won’t help,” he said. “While we try to mandate how quickly an organization must report a breach, there are no clear standards on how quickly breaches need to be discovered. In fact, there’s a perverse disincentive – the more lackluster your security, the longer you can wait to discover or disclose breaches that can be damaging to your business.”
Roy Akerman, co-gounder and CEO of Rezonate, said health care personally identifiable information (PII) data is considered premium in the dark web forums as one cannot simply alter their information.
“It is critical now to complete the investigation and truly understand the chain of attacks that occurred in 2019 and 2021, and validate there is no additional stealthy adversaries hiding and no backdoors left behind,” he said.
New Trend Micro research highlights a new technique used by the BlackCat ransomware group.
BlackCat has been observed using a malicious Windows kernel driver or program signed by a stolen or leaked cross-signing certificate in order to hide from security tools and fly under the radar.
According to a Trend Micro blog post, “the February 2023 ransomware incident we observed proves that ransomware operators and their affiliates have a high level of interest in gaining privileged-level access for the ransomware payloads they use in their attacks.”
“Malicious actors that are actively seeking high-privilege access to the Windows operating system use techniques that attempt to combat the increased protection on users and processes via endpoint protection platform (EPP) and endpoint detection and response (EDR) technologies,” it said. “Because of these added layers of protection, attackers tend to opt for the path of least resistance to get their malicious code running via the kernel layer (or even lower levels). This is why we believe that such threats will not disappear from threat actors’ toolkits anytime soon.”
Callie Guenther, cyber threat research senior manager at Critical Start, said Microsoft’s response to the reported abuse of its hardware developer accounts by revoking the compromised accounts is a crucial step to prevent further misuse. However, it doesn’t fundamentally address the root issue by detecting the behavior sequences that led to the abuse. This vendor action is typical and expected, but demonstrates the need for proactive measures to address security vulnerabilities in the signing process.
“The research dissects various approaches used by malicious actors to sign their kernel drivers, including abusing Microsoft signing portals, using leaked or stolen certificates, and utilizing underground services,” she said. “This insight into the attackers’ methods helps threat researchers better understand threat actors’ tactics, techniques and procedures (TTPs), and guides the development of effective countermeasures. Additionally, the analysis highlights the persistent threat posed by rootkits and their ability to hide malicious code from security tools, impair defenses and evade detection for extended periods. The development and use of such sophisticated tools by threat actors underscore the need for robust security measures and proactive detection strategies.”
New Trend Micro research highlights a new technique used by the BlackCat ransomware group.
BlackCat has been observed using a malicious Windows kernel driver or program signed by a stolen or leaked cross-signing certificate in order to hide from security tools and fly under the radar.
According to a Trend Micro blog post, “the February 2023 ransomware incident we observed proves that ransomware operators and their affiliates have a high level of interest in gaining privileged-level access for the ransomware payloads they use in their attacks.”
“Malicious actors that are actively seeking high-privilege access to the Windows operating system use techniques that attempt to combat the increased protection on users and processes via endpoint protection platform (EPP) and endpoint detection and response (EDR) technologies,” it said. “Because of these added layers of protection, attackers tend to opt for the path of least resistance to get their malicious code running via the kernel layer (or even lower levels). This is why we believe that such threats will not disappear from threat actors’ toolkits anytime soon.”
Callie Guenther, cyber threat research senior manager at Critical Start, said Microsoft’s response to the reported abuse of its hardware developer accounts by revoking the compromised accounts is a crucial step to prevent further misuse. However, it doesn’t fundamentally address the root issue by detecting the behavior sequences that led to the abuse. This vendor action is typical and expected, but demonstrates the need for proactive measures to address security vulnerabilities in the signing process.
“The research dissects various approaches used by malicious actors to sign their kernel drivers, including abusing Microsoft signing portals, using leaked or stolen certificates, and utilizing underground services,” she said. “This insight into the attackers’ methods helps threat researchers better understand threat actors’ tactics, techniques and procedures (TTPs), and guides the development of effective countermeasures. Additionally, the analysis highlights the persistent threat posed by rootkits and their ability to hide malicious code from security tools, impair defenses and evade detection for extended periods. The development and use of such sophisticated tools by threat actors underscore the need for robust security measures and proactive detection strategies.”
TD Synnex CISO Dan Lasher knows what it’s like to go from leading cybersecurity for a $35 billion company to doing so for a $60 billion company overnight.
Lasher was Tech Data’s corporate vice president of enterprise architecture, governance and cybersecurity until its $7.2 billion merger with Synnex to become TD Synnex. He then became TD Synnex’s CISO.
“I’ve been with the company for 33 years, and it hasn’t been security the whole time,” he said. “But I’ve been in various innovation roles, architecture roles, and then my career journey led me down the path of becoming the leader of security. My role didn’t change other than size.”
Responsibilities as TD Synnex CISO
As TD Synnex CISO, Lasher said he’s focused on helping the organization innovate and grow, and at the same time keeping it safe.
TD Synnex’s Dan Lasher
“I have a team of 95 individuals that comprise our cyber defense center, so all the prevention, detection and response because of our vast amount of innovation,” he said. “I’ve got a team that focuses on securing our software development life cycle. I’ve got a team that focuses on risk management, which also includes vetting third parties. I have a red team that is constantly pressure-testing all of our processes and assessing any vulnerabilities that we need to be ahead of. I’ve got a security awareness team. And then I’ve got a team focused on information protection. We’re a hands-on group protecting a $60 billion business, and that of our supply chain customers and vendors.”
A big message at last week’s TD Synnex Beyond Security was providing resellers what they need to help SMBs shore up their cyber defenses.
“There are a number of opportunities for our SMB market to bring to those organizations similar disciplines that we do in the enterprise space,” Lasher said. “Everybody has issues around the threats of ransomware or social engineering attacks. And TD Synnex has invested a lot of money and resources to protect ourselves. But not every SMB customer has made that same level of investment. And for our resellers, that’s a huge opportunity for them to help those organizations get ahead of that train. They have an opportunity to focus on growing their profitability and their revenue base by seizing those opportunities. Not every SMB customer is doing phishing simulations. Not every SMB customer has robust policies. Not everybody is doing penetration testing. And these are all things our resellers can step up and do.”
Scroll through our slideshow above for more from Lasher and more cybersecurity news.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like