Rethinking Risk After the FTX Debacle
Risk is no longer a single entity, but rather an interconnected web of resources, assets, and users.
Within the first few hours of the FTX implosion, investors and crypto bulls were working through the Kübler-Ross model's five stages of grief: denial, anger, bargaining, depression, and acceptance. As more details came out about the inner workings of FTX, I realized that truth really is stranger than fiction.
The 30-year-old founder of FTX, Sam Bankman-Fried, was known simply as SBF — a single moniker that put him in the company of Madonna or LeBron. His firm seemingly came out of nowhere to establish itself as the de facto standard for crypto exchanges. The firm and the founder were surrounded by all the trappings of success and legitimacy — a fawning press, famous and powerful friends, and sycophantic politicians.
Who would ever suspect fraud with such a veneer of respectability? The obvious comparison was Theranos and its CEO, Elizabeth Holmes. When stories emerged that FTX's potential losses totaled $50 billion, comparisons to another fraudster — Bernie Madoff — emerged.
However, there is one huge difference between SBF and Madoff: Madoff was a singular figure orchestrating a massive Ponzi scheme. The funds that came to Madoff didn't go into other investments. In fact, they didn’t go into any investments. They were used to keep existing clients happy while new clients were brought in. All of the risk for Madoff clients was represented in Madoff himself.
In the case of FTX, SBF lent Alameda Capital — the firm's in-house investing arm — more than $8 billion in client funds. It is patently illegal to mix client funds in an exchange with outside investments. Most shocking of all is what SBF and Alameda were doing with that money. They thew the money into more than 400 different investments in the emerging crypto market, from failing exchanges to worthless coins. Investors who parked their money, and their crypto, at the FTX exchange had no idea the risks they were facing.
Know Your Attack Surface
The threat surface for FTX clients wasn't just about protecting their FTX passwords or hoping the exchange wouldn't get hacked like the Mt. Gox bitcoin exchange and so many others did. Instead, their portfolios were at risk of implosions over assets and investments they had never heard of.
That is the definition of risk: having your hard-earned money and investments merged with a toxic mix of super-risky sludge. That’s a helpless place to be.
After more than 20 years in cybersecurity, it is difficult not to think about risk exposure and threat management in a case like this. Security teams are dealing with something much more akin to SBF than Madoff. There is no singular threat facing an enterprise today. Instead, it is a constellation of assets, devices, data, clouds, applications, vulnerabilities, attacks, and defenses.
Security teams' biggest weakness is that they are being asked to secure what they can neither see nor control. Where is our critical data? Who is accessing it, and who needs access? Every day in cybersecurity, the landscape of what needs to be protected changes. Applications are updated. Data is stored or in transit among multiple clouds. Users change. Every day represents new challenges.
Security starts with visibility. That’s why discovery is all the rage these days. From the cloud to data to external assets, security teams are digging into discovery tools that help them understand exactly what they have to secure, where it is, and who is accessing it. There is an urgent need to understand the connections among users, partners, devices, and applications. The FTX crypto investment scenario I've described could just as easily be interconnected enterprise resources, and internal and external users.
I feel terrible for anyone caught up in this FTX mess. For cybersecurity professionals, it is yet another reminder that it is not just the resources and employees of your organization that impact security; it is a web of connections that grows every day. We live in the age of discovery for a reason.
About the Author
You May Also Like
Transform Your Security Operations And Move Beyond Legacy SIEM
Nov 6, 2024Unleashing AI to Assess Cyber Security Risk
Nov 12, 2024Securing Tomorrow, Today: How to Navigate Zero Trust
Nov 13, 2024The State of Attack Surface Management (ASM), Featuring Forrester
Nov 15, 2024Applying the Principle of Least Privilege to the Cloud
Nov 18, 2024